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Abstract. This technical report contains the proofs to the lemmata and theorems of |PN12) as well as some 
additional material. As main contributions [PN12] presents an encoding of mixed choice in the context of the 
7r-calculus and a criterion to measure whether the degree of distribution in process networks is preserved. 



1 Technical Preliminaries 

o 

| 1.1 The 7r-Calculus 

Our source language is the monadic 7r-calculus as described for instance in |SW01j . As already demonstrated in 
|Pal03] the most interesting operator for a comparison of the expressive power between the full 7r-calculus and its 
asynchronous variant is mixed choice, i.e., choice between input and output capabilities. Thus we denote the full 
7r-calculus also by 7r m . Let Af denote a countably infinite set of names with r ^ Af and Af the set of co-names, i.e., 
i- 1. TV* = {n | n G A/"}. We use lower case letters a, a', a±, . . . , x, y, . . . to range over names. 

o ■ 

Definition 1 (7r m ). The set of process terms of the synchronous 7r-calculus (with mixed choice), denoted by P m , 
is given by 
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P::={vn)P \ P 1 \ P 2 \ [a = b]P \ y* (x) .P | ^T^.P 
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, where ir ::— y (x) | y (z) | r for some names n, a, b,x,y, z G Af and a finite index set I . 

The interpretation of the defined process terms is as usual. Moreover we consider two subcalculi of 7r m . The process 
terms V s of 7r s — the n-calculus with separate choice — are obtained by restricting the choice primitive, such that in 
each choice either no input guarded or no output guarded alternatives appear. 

Definition 2 (tt s ). The set of process terms of the 7r-calculus (with separate choice), denoted by V s , is given by 

P::={un)P \ P 1 \P 2 \ [a = b]P | y* (x) .P | ^/.P, | 5>?.P 2 

iei iei 

where ir 1 y (x) \ r and ir° ::= y (z) \ t for some names n, a, b,x,y,z G Af and a finite index set I . 

Finally, the process terms Pa of the asynchronous n-calculus 7r a [Bou92 HT9T) are obtained by restricting each 
sum to be of length zero or one and requiring, that outputs can only guard the empty sum. 

Definition 3 (7r a ). The set of process terms of the asynchronous 7r-calculus, denoted by V a , is given by 

P ::= | {vn)P \ P X \P 2 \ [a = b]P \ y {z) .P \ y(x).P \ r.P \ y* (x) .P 

for some names n,a,b,y e Af and some finite sequences of names x, z C Af. 

Note that we augment all three variants of the 7r-Calculus with matching, because we need it at least in 7r a to 
encode mixed choice. Of course, the presence of match influences the expressive power of 7r a . However, we do not 
know, whether the use of match in the encoding of mixed choice can be circumvented, although there are reasons 
indicating that this is indeed not possible. We left the consideration of this problem to further research. 

We use capital letters P, P', Pi, . . . , Q, R, . . . to range over processes. Let fn(P), bn(P), and n(P) denotes the sets 
of free names, bound names and all names occurring in P, respectively. Their definitions are completely standard. 
Given an input prefix y (x) or an output prefix y (x) we call y the subject and x the object of the action. Moreover we 
denote the subject of an action also as link or channel name, while we denote the object as value or parameter. Note 
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that in case the object does not matter we omit it, i.e., we abbreviate an input guarded term y (x) .P or an output 
guarded term y (x) .P such that x ^ fn(-P) by y.P or y.P, respectively. Moreover we denote the empty sum with 
and often omit it in continuations. As usual we sometimes notate a sum u ± i 1 7Tj -P% by .Pi 1 + . . . + TTi n .Pj n . 

We use cr,a',ai, ... to range over substitutions. A substitution is a mapping { X1 / yi , ■ ■ ■ , Xn / Vn } from names to 
names. The application of a substitution on a term { X1 / Vl , ■ ■ ■ , Xn / Vn } (P) is defined as the result of simultaneously 
replacing all free occurrences of yi by X4 for i S {1, . . . , n}, possibly applying alpha-conversion to avoid capture 
or name clashes. For all names Af \ {yi, ■ ■ ■ ,y n } the substitution behaves as the identity mapping. Let id denote 
identity i.e. id is the empty substitution. We naturally extend substitutions to co-names, i.e. Vn £ AT . a (n) = a (n) 
for all substitutions a. 

Moreover, let x denote a sequence of names. For simplicity, we occasionally treat x as a set. So x C M denotes 
a sequence of names of the set M, |x| is the length of the sequence x, and y G x denotes that y is one of the 
names within the sequence x. Accordingly, we use the notion of sequence to abbreviate multiple restrictions, i.e., 
(y x) P = {y x\) . . . {y x n ) P for a sequence of names x = x±, . . . , x n . Moreover we naturally extend substitutions 
to sequences of names, i.e., a (x) = a (xi) , . . . , a (x„) and { x /y} P = { Xl / yi , ■ ■ ■ > Xn /y„}P f° r two sequences of 
names x = Xi, . . . ,x„ and y = y 1 ,...,y n . 



P = Q if Q can be obtained from P by renaming one or more of the bound names in P, 
silently avoiding name clashes 

P\0 = P P\Q = Q\P P\{Q\R) = {P\Q)\R [a^a]P = P 

(un)0 = {vn){vm)P = {um){un)P P \ (y n) Q = (v n) (P | Q) if n £ fn(P) 



Fig. 1. Structural congruence. 



The reduction semantics of 7r m , 7r s , and 7r a are jointly given by the transition rules in Figure [51 where structural 
congruence, denoted by =, is given by the rules in Figure [1] Note that the rule COM a for communication in 7r a is a 
simplified version of the rule COM m s for communication in 7t m or tt s . The differences between these two rules result 
from the differences in the syntax, i.e. the lack of choice and the fact that only input can be used as guard in 7r a . 
The same can be observed for the rules TAU a and REP a . As usual, we use = a if we refer to alpha-conversion (the 
first rule of Figure [1]) only. 



TAU m , s . . . + r.P + . . . 1 ► P TAUa r.P 1— > P 

COM m , s (... + y(x).P + ...) I (...+y{z).Q + ...)^{%}P\Q 

COM a y(x).P\y{z)^ {%}P H\x\ = \z\ 

R EPm , s y* (x) P\(...+y (z) .Q + . . .) 1 > {74 P I Q I y* (x) .P 

R E p a y*(x).P\y(z)^{%}P\y*(x).P if |£| = \z\ 

P^P' P^P' _ PeeP' P'^Q' Q' = Q 

Par - . , - Res -, — r-^ ; — r-=- Cong =- ^ — — 

P\Qi — >P'\Q (m)Pi — >(vx)P> 



Pi 



Fig. 2. Concurrent reduction semantics. 



Let P i — > (P >/—>■) denote existence (non-existence) of a step from P, i.e. there is (no) P 1 6 P such that 
P i — > P'. Moreover, let t=> be the reflexive and transitive closure of i — > and let i — >°° define an infinite sequence 
of steps. 

In Section [131 we present several criteria to measure the quality of an encoding. The first of these criteria relies 
on the notion of a context. A context C ... ,[■]„) is a 7r-term, i.e., a 7r a -term in case of Definition [7j with n 
so-called holes. Plugging the 7r a -terms Pi, . . . , P n in this order into the holes [-]i, . . . , [•]„ of the context, respectively, 
yields a term denoted C (Pi, . . . , P n ). Therefore, we consider a context as a function from terms into terms, e.g., the 
context C ... , [-] n ) € P a x • • ■ x Pa — > Pa maps n 7r a -terms onto a 7r a -term. Sometimes, we refer to Pi, . . . , P n 
as the parameters of the context C. Note that a context may bind some free names of Pi, . . . ,P n . The arity of a 
context is the number of its holes. 

As usual we will use equivalence relations to compare 7r-terms by means of their behaviour. Moreover, as explained 
in Section [1.31 we use an equivalence to abstract from junk, i.e., remains of encoded terms that are no longer of any 
use. Since we use a reduction semantics, a standard equivalence to compare 7r m -terms is barbed congruence, denoted 
by =. Its definition relies on the notion of an observable or barb (we refer to [SW01| for a detailed explanation). 

Definition 4 (Observable). Let P e P m . Then P has an input observable y, denoted by P \. y> if P can perform 
an input on y, i.e., 

BP', P" e P m . 3x c M . 3z e AT . P = (vx) {P' | y (z) .P") Ay£x 
and P has an output observable y, denoted by P \.y, if P can perform an output on y, i.e., 
3P',P" e P m . 3x c AA . 3z e M . P = {vx) (P' | y{z) .P") Ay <£ x. 

1.2 Abbreviations 

To shorten the presentation and ease the readability of the rather lengthy encoding function in the next section, 
we use some abbreviations on 7r a -terms. First note that we defined only monadic versions of the calculi 7r m , 7r s , 
and 7r a , where over any link exactly one value is transmitted. However, within the presented encoding functions, 
we treat the target language 7r a as if it allows for polyadic communication. More precisely, we allow asynchronous 
links to carry any number of values from zero to five, of course under the requirement that within each 7r a -term 
no link name is used twice with different multiplicities. Note that these polyadic actions can be simply translated 
into monadic actions by a standard encoding as given in |SW01j . Thus, we silently use the polyadic version of 7r a in 
the following. Second, as already done in [NesOOj . we use the following abbreviations to define boolean values and 
a conditional construct. 

Definition 5 (Tests on Booleans). LetM = {T,_L} be the set of boolean values, where T denotes true and _L 
denotes false. 

Let l,t, f € AA and P,Q £ P a . Then a boolean instantiation of I, i.e., the allocation of a boolean value to a link 
I, and a test-statement on a boolean instantiation are defined by 

I(T) 4 l(tj).t 

l(±) 4 l( t J)J 

test I then P else Q = [yt, f) (1 (t, f) \t.P \ f.Q) 

for some t,f £ fn(P) Ufn(Q). 

Finally, we define forwarders, i.e., a simple process to forward each received message along some specified set of 
links. 

Definition 6 (Forwarder). Let I be a finite index set and for all i £ I let y and yi be channel names with 
multiplicity n G N, then a forwarder is given by: 

V -» {Vi \i 6 1} = y* (xi, . . . ,x n ) . I JJyi (xi, 

Vie/ 

In case of a singleton set we omit the brackets, i.e., y -» y' = y -» {y'}. 




1.3 Quality Criteria for Encodings 



Within this paper we consider two encodings, (1) an encoding from ir s into 7r a presented in [NesOOj . denoted by 
[ • and (2) a new encoding from 7r m into 7r a , denoted by [ • ] a . To measure the quality of such an encoding, 
Gorla [GorlOj suggested five criteria well suited for language comparison. Accordingly, we consider an encoding to 
be "good" , if it satisfies Gorla's five criteria. 

As in [GorlOj . an encoding is a mapping from a source into a target language; in our case, 7r m and 7r s are source 
languages and 7r a is the target language. To distinguish terms on these languages or definitions for the respective 
encodings, we use m, s, and a as super- and subscripts. Thereby, the superscript usually refers to the source and 
the subscript the target language. Moreover, we use S, S', Si, . . . to range over terms of the source languages and 
T, T' , Ti, . . . to range over terms of the target language. 

The five conditions are divided into two structural and three semantic criteria. The structural criteria include 
(1) compositionality and (2) name invariance. The semantic criteria include (3) operational correspondence, (4) 
divergence reflection and (5) success sensitiveness. Note that for the definition of name invariance and operational 
correspondence a behavioural equivalence x on the target language is assumed. Its purpose is to describe the 
abstract behaviour of a target process, where abstract basically means with respect to the behaviour of the source 
term. 

Intuitively, an encoding is compositional if the translation of an operator depends only on the translation of its 
parameters. To mediate between the translations of the parameters the encoding defines a unique context for each 
operator, whose arity is the arity of the operator. Moreover, the context can be parametrised on the free names of 
the corresponding source term. 

Definition 7 (Criterion 1: Compositionality). The encoding [ • ] is compositional if, for every k-ary operator 
op ofir m and for every subset of names N , there exists a k-ary context C^ p ([-]i, ... ,[•]&) such that, for all Si, . . . , Sk 
with fn(Si) U . . . U fn(5 fe ) = N, it holds that 

[ op (ft,. ..,S fc )]=C£([ Si], ...,[£*]). 

If the context is again the original operator, i.e., if an operator is translated by encoding its parameters and apply 
the renaming policy, as in [ (v x) P ] = (x)) [ P ], we call this encoding rigid. Note that Gorla requires that 

the parallel composition operator "|" is binary and unique in the source as well as in the target language. Thus, 
compositionality prevents from introducing a global coordinator or to use global knowledge, i.e., knowledge about 
surrounding source terms or the structure of the parameters. 

The second structural criterion states that the encoding should not depend on specific names used in the source 
term. This is important, since sometimes it is necessary to translate a source term name into a sequences of names 
or reserve some names for the encoding function. To ensure that there are no conflicts between these reserved 
names and the source term names, the encoding is equipped with a renaming policy yy, i-e., a substitution from 
names into sequences of namesQ. Since we translate source term names only into single names, the renaming policies 
introduced by [ ■ and [ • ] are injective substitutions from names into names. Based on such a renaming policy 
an encoding is independent of specific names if it preserves all substitutions a on source terms by a substitution a' 
on target terms such that a' respects the changes made by the renaming policy. 

Definition 8 (Criterion 2: Name Invariance). The encoding [ ■ ] is name invariant if, for every S and a, it 
holds that 

I X o \\b J) otherwise 

where a' is such that ipt j (a (n)) = a' (n)) for every n G J\f. 

The first semantic criterion and usually the most elaborate one to prove is operational correspondence, which 
consists of a soundness and a completeness condition. Completeness requires that every computation of a source 
term can be emulated by its translation, i.e., the translation does not reduce the computations of the source term. 
Note that encodings often translate single source term steps into a sequence of target term steps. We call such a 
sequence an emulationol the corresponding source term step. Soundness requires that every computation of a target 
term corresponds to some computation of the corresponding source term, i.e., the translation does not introduce 
new computations. 



1 To keep distinct names distinct Gorla assumes that Vn, m 6 M . n ^ m implies (/Jy (n) (~l ft] (m) = 0, where ipy (a;) is 
simply considered as set here. 



Definition 9 (Criterion 3: Operational Correspondence). Let [ • ] be an arbitrary encoding. Then, two op- 
erational criteria are defined as follows. 

Completeness: For all S S', it holds that [ S ] l=^x [ S' J. 
Soundness: For all [[ S ] t=> T, there exists an S' such that 
S^S' and T l=*»x \S'\. 

Note that the definition of operational correspondence relies on the equivalence X to get rid of junk possibly left 
over within computations of target terms (compare to Section HOI for a discussion of that equivalence). Sometimes, 
we refer to the completeness criterion of operational correspondence as operational completeness and, accordingly, 
for the soundness criterion as operational soundness. 

The next criterion concerns the role of infinite computations in encodings. 

Definition 10 (Criterion 4: Divergence Reflection). The encoding [ • ] reflects divergence if, for every S, 

1 S\ i — y u implies S i — Y u . 

The last criterion links the behaviour of source terms to the behaviour of their encodings. With Gorla [GorlOj . we 
assume a success operator / as part of the syntax of both the source and the target language, i.e., of ir m , ir s , and 
7r a . Since / can not be further reduced, the operational semantics is left unchanged in all three cases. Moreover, 
note that n(/) = fn(/) = bn(/) = 0, so also interplay of / with the rules of structural congruence is smooth and 
does not require explicit treatment. The test for reachability of success is standard. 

Definition 11 (Success). A process P G V may lead to success, denoted as P JJv, if (and only if) it is reducible 
to a process containing a top-level unguarded occurrence of J, i.e. 3P' , P" G V . P t=> P' A P' = P" \ •/. 

Note that we choose may-testing here. Finally, an encoding preserves the abstract behaviour of the source term if 
it and its encoding answer the tests for success in exactly the same way. 

Definition 12 (Criterion 5: Success Sensitiveness). The encoding [ • ] is success sensitive if, for every S, 
S -IJv if and only if J S ] J|/. 

This criterion only links the behaviours of source terms and their literal translations, but not of their continuations. 
To do so, Gorla relates success sensitiveness and operational correspondence by requiring that the equivalence on 
the target language never relates two processes with different success behaviours. 

Definition 13 (Success Respecting), x C P a x P a is success respecting if, for every P and Q with P JJ./ and 
Q it holds that P ~jtQ. 

2 Correctness of the Encodings 

Let us first present the full representations of the encodings [ • ] a hi Figure [3] and [ • ]™ in Figure [4] Note that in 
NesOO NPOO slightly different version of 7r s and 7r a are used, namely r is no prefix and there are neither a match 
operator nor a success operator in the syntax of 7r s and 7r a . We choose the respective encodings to be rigid except 
for source terms guarded by r. Since r guarded terms can reduce without a communication partner, we implement 
their translation by a simple test-statement on their sum lock in both encodings. 

In the following we will argue for the correctness of these encodings with respect to the criteria of Gorla presented 
in Section [L3l 

2.1 Structural Criteria 

The first two criteria to prove are the structural criteria; compositionality and name invariance. An encoding is 
compositional if it defines a fixed context for each operator including holes for the translation of its parameters. By 
Definition [7] of compositionality the context is allowed to depend on the free names of the parameters. However, 
both presented encodings, [ • ] and [ • ] , do not use that feature, i.e., the contexts do not depend on any names. 
By Figure [3] and Figure 0] both encodings are obviously compositional. 

Let us have a closer look at the contexts. In the encodings of restriction, matching and success the context is 
used only to translate source term names according to the renaming policy. Apart from that the encodings are rigid. 
The encoding of the sum operator inserts a positive instantiation of a fresh sum lock and splits up the encodings 
of the summands in parallel because there is no sum operator in the target language. Therefore of course we have 
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¥> S a (yT (I, s, (»)) -test i then 7 <J_) | 7 | [ P ]= else 7 (_L) 
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Here ip\ is some arbitrary injective substitution such that Vn 6 Af . <p% (n) n /', r, s} 



Fig. 3. Encoding from n s into 7r a . 



to consider the sum operator as binary operator with an index set and a set of its summands as parameters, or 
as unary operator with the set or lisi|j of its summands as parameter. We left the question whether there is an 
encoding from 7r m into 7r a with the binary sum operator as an open question to further research. The encodings of 
input and output guarded terms and the encoding of terms guarded by r introduce rather small contexts. However, 
in case of [ • ] the contexts introduced to translate the binary parallel operator and replicated input are rather 
complicated and huge. Remember that we claim in Section [1.31 that the parallel operator is binary. Comparing its 
encoding with the encoding of the sum operator we observe that this claim may be crucial because it forbids the 
introduction of a global coordinator for all parallel terms as the sum lock is for all the summands of a sum. 

Name invariance follows by the fact that names are translated into single names again and that conflicts between 
names used by the encoding functions and translated source term names are ruled out by the renaming policy. 



Lemma 1. The encoding [ • ] is name invariant. 

Proof. By Definition [8] it suffice to show, that: 

VSeVs.VaCM.3a' CM. [ a (S) ] a ^ a a' ({ S ] S J A Vz G M . <p\ (a (z)) = a' (<p s a (*)) 
Without loss of generality let a = { Vl / X1 , ■ ■ - Vn /x„} f° r some tieE We choose 

(j f 4 Iflivi)/ vl(Vn)/ X 

So Vz G M . ip 8 a (a (z)) = a' [ip\ (z j). We proceed with an induction over the structure of S. 

Base Case: Since n(/) = = n(0) and fn((i/ 1)1 (T» = 0, we have [<r(/)la = I ^la = ✓=«/(✓) = J ([ / ]') 

and I o (0) ] s a = [ J: = (W) T (T) = a' ([vl) I (T)) = a' ([ ] S J. 
Induction Hypothesis: \/S G V s . Vcr C M . 3a' C M . [a(S) ] a = a a' ([ S fj 



2 Usually an unordered set of summands suffice to describe a sum since usually we consider sums as being reflexive and 
symmetric, i.e., A + A — A and A + B — B + A. If for some reasons we have to abandon reflexivity and/or symmetry, e.g. 
in case of a randomised version of the calculi, an ordered list might be the better choice to describe a sum. 
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Here ^2™ is some arbitrary injective substitution such that Vn € M . if™ (n) n = 0, where is the set of reserved names, 

i.e., N = {po , Pi-, Po,up-, Pi,up , tllo-, fTli-, tTlo, up , 1Thi,up-, Co , C£, Is, lr, ll, fo, S, V, C r l , C r g , fi, T , Vi, U p, To.up, y,y',z,t,f}. 



Fig. 4. Encoding [ • |™ from 7r m into 7r a . 



Induction Step: Let x' £ N be such that x' ^ n(cr) U fn(P). Then ip™ (x 1 ) ^ n(er). Moreover, since Vn G 
TV . <£™ (n) ^ r, s}, we have n(cr') n {I, I', r, s} = 0. Note that: 



({ X '/ X }(P) 



{ X '/ X , w / Xi \ Vi / Xi e a A Xi ^ x} (P) 
=a {^W/rtx),*™ \ Vi /xtSvAXi* x} (I P ]«) 

= { rt ^Vrt(x), v;( "%Kxo r 1(w) e <7' a ^ a ( S< ) ^ ^ (x)} (i p ]■) 
=^({^ x \i(x)}ap]:)) 



by IH 



We proceed by a case split. 
Case of S = {v x) P: Then 



I * (S) t = I o {{v x) P) t= a [a ((!/ x') {-% } (P)) ] ^ = [ (^) o- ({*%} (P)) 
= (1/ ^ a {x')) [ a ({*'/, } (P)) ]'=„(„ ^ (x')) a' ({^'V^ } ([ P ]' ; 



a' ((^ a (x')) {*( X 'V V .(*)} (I P ID) o> {{vvl (*)) lPfJ = a' (I S fj . 



Case of S = P \ Q: Then 

l<r(S)ll = l<T(P\Q)Z = l*{P)\<T(Q)}l = l<T{P)t\l<T(Q)t=a ^'PlDk'dQD 

= ^([^]:i[Q]l) = ^([ J p|QD- 

Case of S = [ a = b ] P: Then 

l^(S)}l = la([a = b]P)jl = U^(a)=a(b)]a(P)}l=[<pl(a(a))= V l(a(b))]la(P)t 
^ a [ a' (cpl (a)) = a' (b)) ]a'{\P ]«) = a' ([ # (a) = </ a (6) ] [ P ] S J = a' ([ 5 ]') . 



Case of 5 = X^e/ ^-Pi 1 Then 



"(S)]I = 




s 








a 


. iei J 



= (ul)(l(T)\Jlla(7r i .P i )} s ^ 



Case of 5 = r.P: Then 



o- (S) Fa = I * (^) 11 = I r.a (P) ] s a = test / then I (J.) | [ a (P) ]' else I (_L) 

= Q test / then I (_L) | a' ([ P ] a ) else I (_L) = ct' (test / then I (_L) | [ P ]' else I (_L)) 
= ^'(I5] S J. 



Case of S = y (z) .P: Then 



I o (S) t = I a (y (z) .P) ] s a = cr (y) (a (z)} .a (P) 



(i/ a) [ifl (a (y)) (I, a, i& {cr (x))) | test s then I a (P) ] a else Oj 
„ a) (<t' (y)) (J, a, a' (x))) | test s then a' (I P ]') else o) 
a 1 {(y s) (^M (I, a, ^ (x)) | test a then I P ] a else o)) = a' ([ 5 ] S J . 



Case of S = y (x) .P: Then 

I * (S) t = I a (V (x) .P) ] a ^ a [a(y (x>) . {»% } (P)) 



= {vr) (r\r*.<pl(a(y))(l',s,<pl(x')). 

test I then test I' then 7 <_L> | T 7 (_L) | a (T) a (P)) 



trfo) (*') -a ({*'/,} (P)) 

elseT(T) | F(J_) | a(_L) | r 



else 7 (±) |^ a (a(y))<Z',aX(z')>) 
e q („r) (r|r*.a'K (j/)) (*')) ■ 

test I then test V then 7 (_L) | 7 7 (±) | a (T) | a' ({^V^to} (I^lD 
else 7 (T) | F<J_) | a(±) | f 



else 7 (±) \a'{ V >l{y)){l',sMx'))) 
a'{(yr) (r \ r* . V l(y) (I' , s^l(x')) . 

test I then test I' then 7 (_L) |F(J_) \s(T)\ j^'V^Or) } (I P fj 

else 7 (T) | V (_L) | s (J_) \ r 



else 7 (T) | <^ a (t/)<2', a, ^ (*')})) 

E a «/( (i/r)(r | rVa(tf) (/',«, ^(»))- 

test Z then test 2' then 7 (JL) | T 7 (_L) | a (T) | [?f a else 7 (T) | T 7 (_L) | a (_L) 



else 7 (T) | i P l(y){l',s, l pl(x)))) 

Case of S = y* (x) .P: Then 

I o- (S) t = I o (y* (x) .P) f a ^ a [a (y* (x') . {*' / x ) (P)) 



a( y y(x').a({*'/ x }(P)] 

else7(_L) | a(±) 



--cpi(o-(y)T (l, S ,^(x')).testlthenl(±) \ | [ o ({*%} (P)) 

^ (tf (y))* («, a, # (x')) .test 2 then 7 (T) | a (J_) | a' ({^'V^*) | ([ P ]' )) else 7 (J_) | a (_L) 

= a' (y)* (2, a, (*')) .test / then 7 <i_) | a (_L) | {< x % l(x) } ([ P t) else 7 <J_) | a <T>) 
e q a' (y)* (I, s, tpl (x)) .test I then 7 (T) | a (±) | I P | a else 7 (_L) | a <J_)) 



□ 



Lemma 2. TTie encoding [ • ]™ zs name invariant. 
Proof. By Definition [8] it suffice to show, that: 

VS e P m . Va C AA . 3a' C M . I a (S) J" 1 = a a' ([ S £) A Vz e A/" . ^ (a (*)) = (z)) 



Without loss of generality let a = { Vl / X 



*/x„} for some neff. We choose 



(T 1 = /(Pa m , . <P?{Vv)l A 

So Vz e A/" . lya" 1 ((T (z)) = a' (<p™ (z)). We proceed with an induction over the structure of S. 

Base Case: Since n(/) = = n(0) and fn((W)7(T)) = 0, we have [<r (✓)]" = [ / J™ = /= o 7 (✓) = cr' ([ Z]" 1 ) 

and I a (0) ]» = I ]» = /)7 (T) = a' ((i/J) 7 (T)) = a' (I Q. 
Induction Hypothesis: VS e P m . Ver C AA . 3cr' C AA . [ cr (5) J a = a a' ([ 5 ]™) 

Induction Step: Let x' e AA be such that a;' ^ n(cr) U fn(P). Then ip™ (x 1 ) ^ n(cr). Moreover, since Vz g 
AT . cpf (z) ^ AT, where 



^ {Po i Pi i Po,up i Pi, up i Wlo i W^i i ^o, 



3 3 ^7 ^5 3 7 ^1 3 ^2 1 ^7 ^* 7 J 7 7 ^"l 7 ^ O 7 ^j, lip 7 , -iVlV 7 ^ 7 ^ 7 / } 



we have n(cr') n N = 0. Note that: 



o ({*'/*} (P) 



by IH 



= -'({ v ° (3: ' ) /^)}(I^C)) 

We proceed by a case split. 
Case of S=\vx)P: Then 

I ° (S) C = I ° (("*) ^) la 1 [ t (W) {*'/*} (P)) ] ™ = [ {v x') a ({*%} (P)) ] - 

= a' (jytf (*')) {^'ty^ (*)} (I P ID) ((1/ ^ (x)) I P C) = cr' (I 5 C) . 

Case of S = P \ Q: Then 

l*(S)£ = la(P\Q)£ = la(P)\a(Q)}™ 

{y C, 77l , 772^ , Po.up 7 Pi, up j c oj c i 7 m o,up > m i,up) ( 

c | {vp ,Pi) ( II (7- (P) ]™ | procLeftOutReq | procLeftlnReq) 
| (i/p ,j>i) ( [a (Q) C | procRightOutReq | procRightlnReq) 
pushReq) 

—a iy j : Po.up : Pi, up 3 ; 5 TUo,up i ^li,up ) ( 

"c | (i>po,Pi) (cr ([ P ]™) | procLeftOutReq | procLeftlnReq) 
| (i/po,Pi)(^'(|[QC) I procRightOutReq | procRightlnReq) 
| pushReq) 

C* ( (z^ C, 7?1 , THi, Po,up j Pi, up : c Oj , 7Uo,up 7 m i,up ) ( 

c| (up OJ pi) ( [ P ]™ I procLeftOutReq | procLeftlnReq) 
I (vp ,pi) ( [Q]™ I procRightOutReq | procRightlnReq) 
I pushReq)) 

Case of S = [ a = 6 ] P: Then 

I^(S)C = [^([a = 6]^)C = [[^(«)=^(6)]^(^)C = [^(^(«))=^ (v(b))]l*(P)Y: 
ee q [ a' « (a)) = a' (6)) ]a'{\P ]=) = a' ([ ^ (a) = ^ (6) ] [ P ]») = a' (15 Q . 

Case of S = J2iei n i-Pi'- Then 







m 


E*fa- p o 


m 

= (!//) 






a 


. »€/ 


a 



»6/ 



= a {v i) (i a) i n j (i ^-Pi d) = ^' o (j (t) i n i ^ c) ) = ^ (i s o • 



Case of S = t.P: Then 



I o (S) C = I (r-P) C = I ™ (^) C = ^t / then I (J_> | [ a (P) ]™ else 7 (_L) 

= Q test I then 7 (_L) | a' {\ P ]") else 7 (_L) = cr' (test / then 7 (_L) | \ P ]™ else 7 (_L» 



Case of S = y (z) .P: Then 



I ° (S) C = I CT (v <^> -p) C = I ° (y) (° (*)> (P) 

= {v s) {Wo {a (V)) , I, s, <ft (a (*))> \s.\a (P) ]») 

^ Q s) (p7 (a' (y)) , /, s, a' (<p™ (*))) | ([ P ]")) 

= a' {{v s) {Wo (<P™ (y) , I, s, <p? (*)) I *■ I P O) = o> (I 5 C) . 



Case of S = y (x) .P: Then 

l<r(S)l™ = l°(v (*) J a 1 =a [ <r (l/ (*') • { x '/x} (P)) 

= {v r) (p- {tf (a (y)) ,l,r)\ r* (fa, fa, -, s, <p? (x')) . 

test/i then test fa then fa (_L> fa(_L) \s \ [ a ({ x '/*} (P)) J" else IT (T) | fa <-L> 
else fa (_L)) 

^ Q (i/r) (ft(t/(^(»)),/,r> I r* (fa, fa, -, s, ^ (*')) . 

test fa then test fa then fa (_L) | fa (_L) | s \ a' ({""( X 'V V »(*) } ([ P ]")) else fa (~0 | fa (_L) 
else fa (T)) 

= o'({y r) (W(<P™ (y) , I, r) \ r* (fa, fa, -,s, <p? (x')) . 

test fa then test fa then fa <_L) | fa <_L) | s | {^'ty^ (x) } ([ P ]°) else fa (T) | fa (T) 
else fa (T))) 

^ a a'((ur) fc{<p?(y),l,r) \ r* (fa, fa, -, 5, ^ (x)) . 

test fa then (test fa then fa (_L) |fa(_L) s | [ P ]™ else fa (T) |fa(T)) else fa (T))) 

= *'([SD. 



(re 7 ) ({*'/*} 



Case of S = y* (x) .P: Then 

I ° (S) C = I o (y* (x) .P) £= a [a (y* (x') . {*' / x ) (P)) 
= (vl,r, Cr^c^.ro.n) ( 

Pi (tf (<? (»)) , I, r) I r* (-, -, fa, 5, ^ (*')) -test fa then fa (T) | a \ c^T {<ft (a/)) else fa (_L) 
\n{ip™{o{y)),l,r) |I(T> I c^(r , ri ) 

I Cri (^a (*^ )) " (^o s ^i) ■ {y ^lo 1 W^i 1 Po,upi Pi, up i To, up j ^i,up j C c , Cj , 7Tlo,up j Tfli^up ) ( 

pushReqln 

i(^ , ft )([^({ a; '/4( p ))]" 

I procRightOutReq | procRightlnReq^ 

I (^r ,n)(c^"(r ,n) I pushReqOut))) 

= Q (W, r, c rJ , c r2 , r c , n) ( 

(^ (?/)) ,Z,r> I r* (-, -, fa, s, ^ (a:')) -test fa then fa (_L) | s \ ~ t (<p? (x')) else fa (_L) 
\n(a' (<p™(y)),l,r)\l(T)\c^(r ,n) 

I Crl (^a (*^ )) (^"o) ^i) • Po,up-> Pi, up-, To, up-, Ti^up-, Co : Cj, TTlo.up-, ^i,up) ( 

pushReqln 

l^p ,Pi)(^({^ x 'V vf (x)}([^D) 

I procRightOutReq | procRightlnReq^) 

(^r ,r 2 )(c^i"(r ,r,) | pushReqOut))) 



= cr'^ (t/Z, r, c r i,c r 2, r Q , r») ( 

Pi (cp™ (y) ,l,r)\r*(-,-,l s ,s, ^ (x')) .test l s then T, (±) \ s | c^T (<p? (x')) else T s (±) 
\r-(^(y)J,r)\7(T)\c^(r , n ) 

| C r j i^Pa, )) • ^Vl? (^*0) ^i) • {y Wlo i Yft>i j Po,up-> Pi, up j To, up j T*i,up •> Co-> Cii TTLo.up j ^i,up) ( 

pushReqln 

l(^Po,Pi)({^'V^(x)}([PC) 

| procRightOutReq | procRightlnReq) 

r G) n) (c^{r , n) | pushReqOut) ))) 

p7 (») , /, r) | r* (-, -, J„ s, ^ (x)) .test Z s then T s (±) \ s \ c^T (x)) else T s (_L) 
|W(^(y),i,r) 1 1 (T) | c^(r ,ri> 

| Cri ('Pa ("^0 ) " (^o j Ti) • 7 Tfli , Po,up , Pi, up , To, up , Ti,up j Co , , TTl 0:U p , TI2i. U p ) ( 

pushReqln 

I (i/p , Pi) ([PCI procRightOutReq | procRightlnReq) 

I (z/r G , n) (c^g (r OJ n) I pushReqOut)))) 

= ^([S'C)- 

□ 

Analysing these proofs we observe (1) that a' depends only on a and the respective renaming policy, and (2) 
that we can prove the first case of name invariance (compare to Definition [8]) for all kinds of substitutions a, i.e., 
it suffice to consider equivalence modulo alpha conversion. 

Corollary 1 (Encoding substitutions). For all substitutions a — { V1 /x 1 , ■ ■ ■ , Vn /x n } it holds that 

ySEPs.la (S) t ^ a vi (a) ([ S ] S J and VS £ V m .\a(S) ]* ee q (a) ([ S C) , 
where ft (a) = {^ v % l(xi) , ■ ■ ■ f M / vl ( Xn )} and ft* (a) = {^)/^ (xi) , . . . ,^<»»V*> ? C«»)}- 

2.2 Basic Properties 

In the following we prove correctness with respect to the three semantical criteria. We observe, that in order to do 
so we do not have to prove conditions on arbitrary 7r a -terms but on encoded source terms and their derivatives. To 
simplify the argumentation we will denote such terms as target terms. 

Definition 14 (Target Terms). Let T £ T> & . Then T is a target term, denoted by T € PaT[ ■ p (or T £ 7V[ . y), 

if 3 S e V m . T ee I S ] » V I S ]» i=* T (or 3 S £ r a . T = I S ] I V [ S ] T) . 

Requests. Note that the encoding [[ • ]^ translates source term observables by adding an instantiation of a sum lock 
(except from observables due to replicated inputs) to keep track of the information, whether this observable is still 
active, i.e., whether the corresponding in- or output can still be used to emulate a source term step. Besides that 
additional information [ • J s a does not change the observables. In contrast, the encoding [ • ]™ translates source term 
observables into requests, which are again augmented by sum locks. Requests are outputs with either three or four 
parameters. Input requests, i.e., requests that originate from the translation of an input guarded term or replicated 
input, are outputs with three parameters. Output requests, i.e., requests that originate from the translation of an 
output guarded term, are outputs with four parameters. Note that we can indeed consider any output of three 
or four parameters as request, because the encoding function does not use these multiplicities for other purposes 
(compare to Figure H|). 

Definition 15 (Request). An input request is an unguarded output with three parameters, i.e., an output of kind 
y (xi, X2,Xs) for some y,Xi,X2,Xs £ Af , and an output request is an unguarded output with four parameters, i.e., 
an output ofkindy(x±,X2,X3,X4) for some y,x\,X2,x^,x^ £ Af. We refer to guarded variants of those outputs as 
guarded requests and to y as request channel. 



Note that the channels introduced by the encoding function are somehow well typed in the sense, that each name 
once used as link with multiplicity n will never appear as link with a multiplicity different from n. Because of that, 
it make sense to denote the channel y here as request channel, because whenever it is used as link name a request 
is transferred above that link. Moreover note, that the first parameter x\ of a request is always the translation of 
the respective source term channel and the second parameter x 2 always refers to the sum lock that is connected to 
that requests, i.e., that covers the information about the liveness of the corresponding observable. Note that in case 
of an input request that originate from an replicated input the second parameter refers to a fake sum lock, which is 
never checked. In case of an input request the third parameter X3 refers to the corresponding receiver lock and in 
case of an output request the third parameter x 3 refers to the corresponding sender lock and the fourth parameter 
X4 is the translation of the send value. 

An interesting fact is, that requests are preserved by the encoding function, i.e., each derivative of a target 
term has all the requests of its predecessor. Note that we consider here two requests that only differ by their link 
name but not their values as the same request. Requests are pushed upwards along and from right to left within 
the parallel structure of the term but they are never completely consumed. If the message refers to an inactive 
observable the respective sum lock is instantiated false to ensure that such a request can no longer be used to 
emulate a source term step. The corresponding output messages of the encoding, i.e., the requests, remain as junk 
(compare to Lemma [25|l . 

Lemma 3 (J • ]™ preserves requests). 

VTi, T 2 G . ,» .Vpi,y,l,r G Af . {3T[ G V a . 3x C Af . T x = {v x) {T[ | p~ (y, I, r») A Tj t==> T 2 
implies {3Tf, e T a . 3x C Af . 3 Pl ' G Af . T 2 = {vx) (T£ \ p~J (y, I, r))) 

and 

VTi,T 2 g Paf[ . 1- . V Po , y, I, s, z G Af . {3T[ £ V a . 3x C Af . T x = (v x) {T[ \ p~ (y, I, s, z))) A T\ t==^> T 2 
implies (3T^ G V a . 3x C N . 3 Po ' G Af . T 2 = {vx) (T 2 \p~7(y,l,s,z))) 

Proof. First note, that due to Figure |4] the translations of source term names are used as values only. So any in- or 
output of a target term is generated by the encoding function on special names reserved for the encoding. In case 
T\ = T 2 , i.e., in case the sequence T\ l=> T 2 is empty, the lemma holds trivially. Let us consider the case of a single 
step, i.e., Ti 1 — ► T 2 . The Lemma then follows by induction over the number of steps in the sequence T\ t=> T 2 . 

Analysing the encoding function in Figure |4] we observe, that any input with three or four parameters is due to 
the encoding of the parallel operator or a replicated input. In case of a forwarder the lemma again trivially holds, 
because each forwarder immediately restores each consumed message. The only remain inputs in the encoding of a 
parallel operator or a replicated input are due to the processing of right requests, i.e., due to procRightOutReq and 
procRightlnReq. 

procRightOutReq = c^(m,) | c G * (m,) .p Q (y, l s , s, z) .( 

{vmi,u P ) ( m* (y\ Ir, r) . ([ y' = y]r{lr, L, L, s,z) | m^ uv (y, lr, r)) 
I [v rm) {mi 

, Up 

-» m l \ c {mi))) 

I Po~^(y,l s ,s,z)) 

In case of procRightOutReq there are two inputs on request channels, namely Po {y,l s ,s,z) and m* {y',l r ,r). In 
the first case, whenever a request is consumed by p Q {y,l Sl s,z) it is immediately restored by p 0yUp {y, l 8 , s, z). 
In the second case any consumed request is immediately restored by mi tUp {y 1 , lr,r). So the Lemma holds. The 
argumentation for procRightlnReq is similar. □ 

A closer look at this proof and the encoding function in Figure [4] reveals, that (1) any initial request is due to 
the encoding of a guarded term or a replicated input and (2) any other request is a copy of an existing request. 
Because of that, as long as we are only interested in the values a request may carry and do not concern the link 
over it is currently transmitted, then we can conclude that any request originate to the encoding of a guarded term 
or a replicated input. 



Corollary 2. Any request originates to the encoding of a guarded term or a replicated input. 



Sum locks. Sum locks — for both considered encodings — are channels carrying a boolean value. They are used by 
the encoding functions to ensure that at most one summand of each sum is chosen for communication. Note that 
any channel used to transport a boolean value is a sum lock. However, since by Definition [5] at page[3]booleans and 
test-statements are just abbreviations, we use some simple type informations to unambiguous identify sum locks in 
both encodings. So, to be precise, instantiations on sum locks are inputs carrying two values, that are links with 
multiplicity zero. So sum locks are the only channels of multiplicity two, that carry only values of multiplicity zero. 

Definition 16 (Sum lock). Let T 6 V^t . jn> (or T 6 V a \^ .ja). A sum lock of T is a name I that is used in T as 
link with multiplicity two carrying two links with multiplicity zero. 

Let I be a sum lock. Then we refer to unguarded occurrences o/7(T) as positive instantiation and accordingly to 
unguarded occurrences of I {If) as negative instantiation of I. An instantiation of a sum lock I is either a positive 
or negative instantiation of I. 

Note that in most of the following definitions and proofs we hide the definition of booleans as well as of the 
corresponding test-statement. To show that sum locks meet our intuition we prove that in each target term T there 
is at most one instantiation of each sum lock. 

Lemma 4. For each target term each sum lock is instantiated at most once, i.e., 

VT e . (or T e Paft . F J . VI e Af . VT' e V a . Vx c Af . Vh, b 2 e B . r ^ (vx) (T' \ 7 (h) | 7 (b 2 )) . 

Proof. By Figure [3] and Figure 2] this condition holds for all encoded source terms, i.e., for all target terms [S } s a 
for some S € V s or S £ "P m , because for each sum there is exactly one positive instantiation of each sum lock and, 
since all sum locks appear restricted, the sum locks of different sums are different. All remainig instantiations of 
sum locks are guarded by a test-statement. To prove the condition for arbitrary target terms we take a closer look 
on these test-statements. We observe that for both encodings for each test-statement and for each of its possible 
outcomes the reduction of a test-statement unguards exactly one instantiation of a each sum lock that has to be 
consumed to reduce the respective test-statement. So for each new unguarded instantiation of a sum lock a former 
instantiation of the same lock was consumed. 

[NesOQ] proves that the encoding [ ■ ]* does not introduce deadlock, i.e., whenever a test-statement consumes a 
sum lock a new instantiation of the same lock is eventually unguarded. Moreover, it shows that a complete ordering 
of the sum locks as implemented in [ ■ ]™ suffice to ensure that even in the case of source terms from V m the test- 
statements can not cause a deadlock. So again for each consumed instantiation of a sum lock a new instantiation 
of the same lock is eventually unguarded. □ 

Note that, analysing the encoding functions obviously any instantiation of a sum lock is a positive or negative 
instantiation. The prove of Lemma U also shows that (1) all instantiations of sum locks in encoded source terms are 
positive — negative instantiations are only due to reduction steps, (2) all sum locks are initially instantiated, and 
(3) for each consumed instantiation of a sum lock eventually a new instantiation is unguarded. 

Corollary 3. Any sum lock is initially instantiated positive, i.e., 

VS e P s ■ VI e Af ■ Vb € B . VT e V a . Vx C N . \ S ]' = {vx) (T | 7 (&)) implies b = T 

and 

VS e V m . VI e Af . Vb e B . VT € P a • Vx C N . I S ]™ = (vx) (T | 1(b)) implies b = T. 

Corollary 4. Let T be a target term, i.e., T e V^i • ] s or T G PaSf ■ ] m , and let L C Af be the set of all sum locks 
of T . Then 

VI e L . 3T' e V & . 3x c Af . 3b e B . T (vx) (T' | 7(6)) . 

In the proof of Lemma 3] we observe that new instantiations of sum locks are unguarded by test-statements. So 
reducing a test-statement is the only possibility to change an instantiation of sum lock. A closer look reveals that 
positive instantiations can be changed into negative but never the other way around. 

Lemma 5. A negative instantiation of a sum lock can not be changed into a positive instantiation, i.e., 

VTi, T 2 e V^i . ]» (or T t ,T 2 e . F J .VleAf. VT[,T^ e V & . Vx u x 2 c Af . Vb e B . 
Tj = (vxi) (T{ | 7 <J_» A T\ f=> T 2 AT 2 = (vx 2 ) (T 2 | 7(6)) implies 6 = _L 



Proof. Revisiting the argumentation in the proof of Lemma 2] we observe that the reduction of a test-statement 
is the only way to change the instantiation of a sum lock. A closer look at the test-statements in Figure 2] and 
Figure [3] reveals that for both encoding functions and for each test-statements the then-case can change a positive 
instantiation of sum lock into negative instantiation but the else-cases always simply restore all consumed instances. 
Note that in case of the nested test-statement of the encoding of an input guarded term a positive instantiation 
of the first tested lock is changed only if the second tested lock is again positive instantiated. In this case both 
instantiations are changed into negative instantiations. Moreover note that all the other (single) test-statements 
change any consumed positive instantiation into a negative one. Because of that, it is possible to change a positive 
instantiation into a negative one but not the other way around. □ 

Sender and Receiver Locks. The third parameter of an output request refers to a sender lock, while the third 
parameter of an input request refers to a receiver lock. In both encodings, sender and receiver locks are used to 
guard the encoded continuation of output or input guarded source terms or replicated inputs. Sender locks are links 
with multiplicity zero in both encodings, in opposite receiver locks are links with multiplicity zero in [ • ] and five 
in [ • ]™. Note that in [ • ]™ only sender locks appear as third parameter of an output request. Since by Lemma |3] 
the encoding function [ • ] preserves requests, they unambiguous define sender locks. In the encoding [ • ] a also 
receiver locks are links that never transport any values (compare to Figure |3|). Moreover, the reserved names t and 
/ — necessary to implement booleans — are used as links without parameters in both encodings. To distinguish them 
in [ • ] a note, that sender locks are used as input links, while receiver locks are used as replicated inputs only, and 
that in each case of a test-statement there is an unrestricted instantiation of a sum lock, whereas all instantiations 
of sum locks within an encoded source term appear restricted. 

Definition 17 (Sender Lock). Let T € P a |"[ . y . Then any name s is a sender lock ofT if 

3T', T" e P a . 3x C H . T N=> (v x) (T' | s.T") and VZ e fn(T") . V6 £ B . VT'" € P a . T" ^ (T'" | 7 (&» . 

Let T S P a |" [ ■ ] m • Then any name s is a sender lock of T if 

3T' eP a . 3x c Af . 3p a ,y, I, z e J\f . T = (vx) (T' | (y,l, s, z)) . 

An instantiation of a sender lock is an output on a sender lock. 

Beside the blocking of the encoded continuation, in [ • J" 1 the receiver lock is used by the encoding of the parallel 
operator and its pendant in the encoding of a replicated input to transmit the order of the sum locks back to the 
encoding of an input guarded source term. Remember, that the encoding of an input guarded source term tests 
these sum locks to emulate a communication step of the source term and that the ordering of sum locks is necessary 
to avoid deadlock. In case of [ • ]™, receiver locks are again unambiguous identified by input requests. However they 
are also the only links in [ • ] carrying five parameters. In [ • ] a receiver locks are the only links of multiplicity 
zero, that are used as replicated inputs. 

Definition 18 (Receiver lock). Let T £ P a t[ . y . Then any name r is a receiver lock of T if 

3T',T" e P a . 3x C N . T = (vx) (T' | r*.T"). 

Let T £ Pat[ ■ ] m - Then any name r is a receiver lock of T if 

3T' e Pa . 3x C A/" . 3 Pl , y, I e N . T = (y x) {T 1 \ pi (y, I, r» . 

An instantiation of a receiver lock is an output on a receiver lock. 

Note that — for both encodings — for each input or output guarded source term exactly one receiver or sender lock 
is generated. Similarly, for each sum a unique sum lock is generated. However, since a sum may contain several input 
and/or output guarded summands, the encodings of different input or output guarded terms may share the same 
sum lock. But each encoded guarded term is connected to exactly one sum lock. The encoding [ • J" 1 is obviously 
more complex than the encoding [ • ]^. But on the other hand the existence of requests outlines the connection 
between sum locks and sender or receiver locks — and with it to the corresponding encodings of guarded terms — more 
clearly. 



Definition 19. Let T G V^s . ]»> and let l,r,s£ TV. IfT contains an unguarded input request with I as second and 
r as third parameter, i.e., if 

3T' G V a . 3x C N . 3 Pt ,yE Kf .T =(vx) (T' \ pl{y, I, r)) , 

then we call the sum lock I and the receiver lock r connected. Sometime we also say that I is the sum lock of the 
receiver lock r. 

Accordingly, if T contains an unguarded output request with I as second and s as third parameter, i.e., if 

3T' G V a . 3x cAf . 3p a ,y,z eN .T ={vx) (T' \p^(y,l,s,z)), 

then we call the sum lock I and the sender lock s connected. Sometime we also say that I is the sum lock of the 
sender lock s. 

Of course, the connection of sum locks to sender or receiver locks is unambiguous. 

Lemma 6. Let T G Paf[ . ] m be a target term. Then each receiver lock r and each sender lock s of T is connected 
to exactly one sum lock I of T , i.e., 

VTi,T 2 G V^i . jm . Vr,p ll ,p i2 ,y 1 ,y 2 , h, h G Af . VT^Tj G V a . Vxi,x 2 C Af . 

Ti = (yxx) (T{ | Wi(yi, h, r}) A Ti l=> T 2 A T 2 = (vx 2 ) (T 2 \ p[^{y 2 , h, r)) implies y 1 =y 2 Ah = h 

and 

VTi,T 2 G PaF[ ■ ]» ■ Vs,p 0l ,p 02 ,yi,y2, h,h,zi,Z2 G N ■ VT^Tj G V a . Vxi,X2 C M ■ 
T x = (vxx) (T[ \p^_{yuk, s,zi}) A Ti T 2 A T 2 = (1/X2) (T 2 | p^(y 2 , h, s,z 2 )) 
implies y\ = y 2 = l 2 A Z\ — z 2 . 

Proof. Analysing the encoding function [ • ]™ in Figure |4] we observe that initially, i.e., for each target term [ S J a 
for some source term S G 'P m , for each receiver lock, i.e., for each encoding of an input guarded term or a replicated 
input, and for each sender lock, i.e., for each encoding of an output guarded term, exactly one request is generated. 
Since the receiver and sender locks are generated under restriction, for each encoded source term there are not two 
requests with the same receiver or the same sender lock, i.e., no two requests share their third parameter. Because 
of that the lemma holds for all Ti = T 2 = [ 5 ] for some source term S G V m . By Corollary [2] then the lemma 
holds for all target terms T\ and T 2 such that T\ |=> T 2 . □ 

Note that this lemma does not only shows that the connection between sum locks and sender or receiver locks is 
unambiguous but moreover that the information carried by requests is persistent. It does not change while requests 
wander to the structure of the encoded term generated by the parallel operator nesting of the corresponding source 
term. 

Since, in case of [ • ] receiver locks are not only used to guard the encoding of the continuation of an input 
guarded term or replicated input but also to send the order of the locks back to the corresponding test-statement, 
they carry all necessary informations to perform the test. 

Lemma 7. Let T G T^afj . ] m and r G Af be a receiver lock of T . Then the first three parameters of r are sum locks, 
the fourth parameter is a sender lock s, and the last parameter is a translated source term name. Moreover, the 
third sum lock belongs to s and among the first to sum locks one belongs to r and the other one is again the sum 
lock of s . 

Proof. There are four different outputs on receiver locks, i.e., outputs of five parameters, one in each of pro- 
cRightOutReq and procRightlnReq in the encoding of a parallel operator and in the encoding of a replicated input 
(compare to Figure H|). 

procRightOutReq = (m.) | c Q * (m t ) .p a (y, l s , s, z) .( 

{vmi >up ) ( m* (y', l r , r) .([y' = y]r(lr, L, k, s,z) | m ljUp (y, l r , r)) 

I (V mi) (m i:Up -» mt \ ~cZ (mi)) ) 
I P^p~(yJs,s,z)) 



In procRightOutReq the output r (4-, k,l s , s, z) is guarded by a replicated input m* (?/', Z r , r) of three parameters 
which is in turn guarded by an input p Q (y, l s , s,z) of four parameters. So to unguard the output on the receiver lock 
two requests — first an output request and then an input request — have to consumed. The values of the parameters 
of the output T (L-, l s , l s , s, z) are completely determined by these two requests. Because of that the first three 
parameters are sum locks, the fourth parameter is a sender lock s, and the last parameter is a translated source 
term name. Moreover, the first parameter is the sum lock of the receiver lock and the second and third parameter 
are the sum lock of the sender lock. 

procRightlnReq = c~(m ) | c* {m a ) .p l {yj r ,r) .{ 

{vm 0tUp ) (m * (y',l s ,s,z).([y' = y }r (l s J r , l s , s, z) | m 0jUp (y' , l s , s,z)) 

| (v m ) (m 0iUp -» m \ ~ci (m )) ) 
I W~^(yJr,r)) 

The case of procRightlnReqis similar but here the input request has to be consumed first, and the first and the third 
parameter are the sum lock of the sender lock and the second parameter is the sum lock of the receiver lock. □ 

In order to ease the proof of Lemma [TOl at page [21] we introduce another kind of lock. [ • ]™ translates source 
term observables into requests, which are then combined to search for potential communication partners. In order 
to avoid divergence, requests can not be copied arbitrary often. To ensure that indeed each left request is combined 
with each possible matching right request, the right requests — in the encoding of a parallel operator as well as in 
the encoding of a replicated input — are linked within some kind of chain or list, along which the left requests are 
forwarded. Again to avoid divergence these chains or lists can not be infinitely long, so the links c and c, are 
introduced by the encoding function to extent these chain or list by a new right request as soon as its last place 
is occupied. We will denote these links as chain locks. Similarly, the chain lock c r i in the encoding of a replicated 
input is used to establish some kind of chain on encoded source terms — the encoded continuations of that replicated 
input — instead of right requests. Note that chain locks are the only links in target terms with multiplicity one. 

Definition 20 (Chain Lock). Let T 6 "P a fj . jm. Then any name c a is a chain lock of T if 3T' E P a . 3x C 

Af . 3m l eAf .T t=>- (ux) (T" | c^(m 4 )). 

An instantiation of a chain lock is an output on a chain lock. 

Note that the value of a chain lock used to establish a chain of right requests is always a request channel, while 
the value of a chain lock used to establish a chain of encoded source terms is always a translated source term name, 
i.e., a value never used as link. Because of that, we can easily distinguish these two kinds of chain locks by a simple 
type information. 

2.3 Steps of an Emulation 

Before we formally define receiver and sender locks in the last section we argue that they are introduced by the 
encoding function to guard the encoding of the continuation of a guarded source term. To mimic the behaviour of 
the source term, the encodings of continuations have to stay guarded until the source term step unguarding them 
in the source term is emulated by its encoding. As already mentioned both encodings translate a single source 
term step into a sequence of target term steps called emulation. However, in both encodings we can unambiguous 
allocate the main responsibility for an emulation to a single step of that emulation and call all the other steps pre- 
or postprocessing steps of that emulation. In the following we will refer to the first kind of target term steps as 
core steps, since they perform the main task of an emulation and because of that constitute the transition from 
the emulation of a source term to the emulation of its successor. It turns out, that for both encodings the core 
steps are connected to the test-statements. More precisely, in case of an emulation of a step on a term guarded 
by t or a replicated input, it is the consumption of the positive instantiation of a sum lock by the corresponding 
test-statement that performs the main task of the emulation. In case of an emulation of a step on an input guarded 
source term, it is the consumption of the second positive instantiation in the nested test-statement that we call core 
step. 

Definition 21 (Core Step). Let T U T 2 € V^f . j» (or T U T 2 € V^i . yj. A step T x i — > T 2 is a core step, denoted 
by T\ ^> T 2 , if this step consumes a positive instantiation of a sum lock either within a single test- statement or 
within the second test of a nested test-statement. 



Note that, since negative instantiations of sum locks refer to encoded in- or outputs, that remains of a former 
emulation as junk, we do not consider any consummation of a negative sum lock as core step. According, test- 
statements consuming a negative instantiation of a sum lock only restore all consumed information. In the following 
we prove our intuition of core steps by showing that encoded continuations can only be unguarded after a core step. 

Lemma 8. Only core steps may lead to the unguarding of the encoding of a continuation of some source term. 

Proof. Analysing the encoding functions in Figure [3] and Figure |4] we observe that the encoded continuations of 
output guarded source terms appear guarded by the respective sender lock. Moreover we observe that all instan- 
tiations of sender locks are guarded by test-statements. More precisely, they are guarded by the then-case of a 
single test-statement (due to the encoding of a replicated input) or the then-case of the second test in a nested 
test-statement (due to the encoding of an input guarded term). Note that in case of [ • ]™, by Lemma [7] the input 
on the receiver lock that guards the test-statements unambiguous identifies the following outputs of multiplicity 
zero as sender locks. So a core step is necessary to unguard them. 

In case of a source term guarded by r or an input guarded source term the respective encoded continuations 
appear directly as required in the respective then-cases of the test-statements. So, in these cases, the lemma holds 
directly by the Definition of the encoding functions. □ 

Note that to our intuition for each emulation of a source term step, there is exactly one core step. However, 
we will need some further information to prove that statement (compare to Lemma [32] at page . So let us 
have a closer look at the remaining pre- and post processing steps. There is one step of an emulation, namely the 
unguarding of the encoded continuation of an output guarded source term by communication over a sender lock, 
that for certainty has to be performed after the core step of the corresponding emulation. Because of that we can call 
reductions on sender locks postprocessing steps. There are also steps, as for instance reductions over receiver locks, 
that for certainty have to be performed before the corresponding core step. So we can call all reductions on receiver 
locks preprocessing steps. However, there are some steps that may be performed before or after the corresponding 
core step. Moreover, the fact whether a non core step was performed before or after the corresponding core step is 
usually not important and often hard to prove. So pre- or postprocessing steps is not a good characterisation for our 
purposes. Instead we will refer to those steps as administrative steps, since they perform administrative tasks, that 
are necessary to perform an emulation, but they do not carry the main responsibility for the emulation, i.e., they 
do — at least for the general case — not inevitably implement the decision to emulate a specific source term step. 

Definition 22 (Administrative Step). Let Ti,T 2 6 V^l-J™ (or T X ,T 2 € V a \i-yJ- A step Ti i — > T 2 is a 
administrative step, denoted by T± ^-^T 2 , if it is no core step. 

Let T\ \==>T 2 denote a sequence of administrative steps, i.e., \==> is the transitive and reflexive closure of i— j-> . 

In the easiest case, none of the administrative steps influences the decision to emulate a specific source term 
steps. That means: Consider a source term that can perform alternative but conflicting steps. So the encoding can 
perform different but conflicting emulations. In this case none of the administrative steps should influences which of 
the emulations may be completed, i.e., no sequence of administrative steps should be able to rule out the completion 
of one of these emulations. 

Unfortunately, for both of the presented encodings this turns out to be wrong. It is always a core step that 
finally decides which of the conflicting emulations is completed by preventing any other conflicting emulation from 
completion. However, in case there are more than two possible conflicting emulations, a sequence of administrative 
steps may rule out one alternative while allowing for different still possible emulations. 

Example 1. Let us consider the source term S = (a. Si + a.S 2 ) | a. S3 | a. Si for some Si, S 2 , S3, S4 G P s . So S £ P s 
as well as S G P m . The encoding of S, regardless whether it is encoded by [ • ]* or [ • ]™, generates three sum locks, 
one for each sum. Let us assume, the sum lock generated for a. Si + a.S 2 is h, the sum lock for a. S3 is fa, and I3 is 
generated for a.Si. S can perform three conflicting steps leading to Si | S3, S 2 | S3, or S3 | S4, respectively. Each 
of these steps can be emulated by both of the encodings. To emulate the step to Si | S3 for both encodings the 
positive instantiation of the sum lock li is consumed first and to complete the emulation a positive instantiation of 
the sum lock l 2 has to be consumed. However, it is possible, that the encoded term instead performs another (nested) 
test-statement and consume both positive instantiations of l 2 and I3 to emulate the step to S3 | S4 instead. Because 
of that, in case of a nested test-statement, we do not consider the first consumption of a positive instantiation of 
a sum lock as a core step. Even, if at this point the sum lock, that is tested next by this test-statement, is still 
instantiated positive, it can become negative by an interleaving other test-statement. 

So after the consumption of the positive instantiation of li in order to emulate the source term step to Si | S3, 
there is still the possibility to complete instead the emulation of the source term step to S 3 | S4. However, there 



is no possibility to complete the emulation of the source term step to 5*2 | £3. Note that, to emulate the step to 
£2 I S3, a positive instantiation of each of the locks l\ and l 2 is necessary. Here, the instantiation of l\ is consumed. 
The only possibility to restore the positive instantiation is to consume a negative instantiation of l 2 (compare to 
the nested test-statements in the encodings of input guarded terms in Figure [3] and Figure 2]). By Lemma El then 
there is no possibility to change that negative instantiation back into a positive one. So, as soon as h is consumed, 
one of the three possible emulations is ruled out while there are still two possible emulations left. 




Fig. 5. Intermediate States. 



We visualise this phenomenon in Figure [5] (for the case of [ • ]™). Here the red lines denote sequences of steps 
with (exactly) one core step, the blue lines denote sequences without core steps but with at least one impure 
administrative step, and the green lines denote sequences of only pure administrative steps (compare to Definition 
HH) , Between the encoding of the source term S and the encodings of its reducts S± \ S3, £2 | S3, and S3 | S4 there 
are two intermediate states, i.e., two states that differ from each encoded source term within that picture. Note that 
the observability of such an intermediate state depends on the chosen equivalence on target terms. 

Definition 23 (Intermediate State). A term T' is an intermediate state, if 

3T, Ti, T 2 , T 3 . T \=> Ti A T t=> T 2 A T \=> T 3 A T \=> T' A T' 7\ A T' \=> T 2 A T' tf=> T 3 , 

i.e. if 




Remarkably, the existence of intermediate states in [ • J s a is independent of structural congruence — if two source 
terms are structural congruent, then their encodings have the same intermediate states — while this is not true 
for [ • ]™. Here the locks are always tested according to a total ordering created along the structure induced by 
the nesting of parallel operators of the source term. Because of that, this ordering of sum locks differ for source 
terms, that are structural congruent but differ in the order of their subprocesses, i.e. differ by rule P | Q = Q | P. 
So structural congruent source terms can differ in the number and nature of reachable intermediate states; e. g. 
S' = a. S3 I (a. Si + a.S 2 ) \ (1.S4, which is structural congruent to S from Example [TJ does not reach any of the 
above intermediate states. Instead, in S' the first consumption of a positive instantiation of a sum lock, which is no 
core step here, completely determines which emulation can be completed. 



To capture that fact we further distinguish administrative steps, into pure administrative steps — that never rule 
out the completion of any possible emulation — and impure administrative steps — that due to the consumption of 
a positive instantiation of a sum lock may possibly rule out the completion of an emulation. Note that in case of 
[ • ] a requests are copied to ensure that each possible combination of input and output requests is checked exactly 
once. Because of that steps on requests are pure administrative steps. In opposite, [ • ] does not translate source 
term observables into requests. To check for a potential pair of translated communication partners a communication 
of the translated channel names is performed. Similar to the consumption of positive instantiations of sum locks 
this might rule out alternative emulations. Because of that we consider steps on translated source term names as 
impure administrative steps of [ • ] . Also note, that in [ • ] translated source term names are used as values only; 
so there are no steps on translated source term names. 

Definition 24 (Pure and Impure Administrative Step). Let T lt T 2 £ V a \i . j» (or Ti,T 2 G V a \i . y). A step 
T\ i — j-> T 2 is a pure administrative step, denoted by T± ^-^>-T 2 , if it is neither on a sum lock nor on a translated 
source term name, else it is an impure administrative step, denoted by 7\ ^- L ^T 2 . 

Let T\\=>T 2 denote a sequence of pure administrative steps, i.e., t=> is the transitive and reflexive closure of 

To show that the definition of pure administrative steps meets our intuition, we prove some kind of local 
confluence property for most of the pure administrative steps. Intuitively, it states that indeed none of the pure 
administrative steps can rule out the completion of any emulation, because they are (in most cases) not conflicting, 
i.e., does not rule out any other sequence of steps. 

Lemma 9. Within target terms pure administrative steps are not conflicting, i.e., 

VT, T X ,T 2 € Pa[[ . I; . T ^ Ti A T i=> T 2 implies 3T' e V a \ l . y . Ti l=> T' A T 2 t—^ T' . 

Proof. In comparison to [ • ]™ the encoding [ • ] a introduces only a few pure administrative steps and all of them 
are not conflicting. First note that, since in 7r a there are no sums, two target term steps can only be in conflict if 
one of it consumes some input or output necessary to perform the other step. So it suffice to concentrate on steps 
on the same channel. Analysing the encoding function in Figure [3] we discover that steps on receiver or sender locks 
(compare to Definitions 1181 and I17[) are pure administrative steps. 

In case of receiver lock, since they are generated under restriction, for each receiver lock there is exactly one 
replicated input and no other input. Because of that it does not matter how many other steps on (the same) receiver 
lock may appear within the sequence T l=> T 2 the step T i— ^ T± can be performed before or after that sequence 
and in both cases the same term T' is reached. 

In case of sender locks, there is exactly one input and no replicated input for each sender lock. Moreover, we 
observe that initially there is no instantiation of a sender lock, and there is exactly one output (on a translated 
source term name) which carries the sender lock as value. This output is consumed to unguard a test-statement and 
that test-statement can then ungard again at most one output which carries the sender lock as value and which can 
itself unguard another test-statement. The only instantiations of sender locks are due to the then-case of a single 
test-statement in the encoding of a replicated input or the then-case of the second test-statement in the encoding 
of an input guarded term, and in both cases only a single instantiation of a sender lock is unguarded. So for each 
target term and each sender lock there can be at most one instantiation of a sender lock. Moreover note, that the 
output on the translated source term names does not only carry the sender lock, but also a sum lock. In order to 
obtain an instantiation of the sender lock this sum lock has to be instantiated positive. But whenever a sender lock 
is instantiated the encoding also generates a negative instantiation of that sum lock. By Lemma [5] that negative 
instantiation can never be turned into a positive one again; so there is no chance to generate a second instantiation 
on the same sender lock. Because of that, if Ti—^Ti is a step on a sender lock, then none of the steps in T t=> T 2 
is a step on that sender lock. So the lemma holds. 

Besides these to steps there is another kind of pure administrative steps that is not that obvious in Figure [3] 
because that kind of steps is hidden by the abbreviation used to introduce booleans and test-statements (compare 
to Definition [S]). We observe, that a test-statement is reduced within two steps. The first consumes the instantiation 
of the sum lock and is thus no pure administrative step. The second step unguards the corresponding then- or 
else-case. In both cases that step is a pure administrative step. However the names t and / are restricted for each 
test-statement, are not used any there else by the encoding function, and thanks to the renaming policy are different 
from each translated source term name. Because of that, we can again conclude that, if Tt—^+Ti is a step on a 
version of t or /, then none of the steps in T t=> T 2 is a step on the same name. So the lemma holds. □ 



Lemma 10. Within target terms pure administrative steps, that either are on sender locks or booleans, or do not 
unguard an instantiation of a chain lock carrying a request channel, are not conflicting, i.e., 

VT,Ti,T 2 SPafj.jm .T^T 1 AT^T 2 

A ( T i — > T\ is a step on a sender lock or booleans 

V (VT{ e ? a . Vi C JV . Vc , rrii € A/" . T\ = (v x) (T{ | ~c^ (mi)) , where mt is a request channel 
implies (3T' £ V a . 3x x C M . T = {vxx) (T 1 | c^(m,))))) 
implies 3T 3 e . ]»> . Ti t=> T 3 A T 2 h-^ T 3 . 

Proof. [ • J" 1 relies on much more pure administrative steps than [ • ]^. First note that, the encoding of a parallel 
operator generates unguarded instantiations of chain locks carrying a request channel. Since a step on a sender 
lock and a step on t to unguard the then-case of a test-statement unguards an encoded continuation, they unguard 
instantiations of such chain locks, if the corresponding source term in the continuation contains a parallel operator. 
Nevertheless, we want to prove the condition also for steps on sender locks and booleans. 

Since source term names are translated into values, never used as links, it suffice to consider steps on names 
introduced by the encoding function. A look at the definition of the corresponding renaming policy in Figure 2] 
suggests the following case on the subject of the step T i — > T\ . 

Case of p , Pi, Po.up, Pi.up, mo, m 0iUp , mi iUp , ri, r a , ri_ up , r 0iUp : All these names are request channels, i.e., there 
are introduced by [ • ]™ to transport requests. Note that the encoding function puts much effort in the direction 
of requests. Usually there is exactly one way for them, namely: (1) upwards in the structure generated by the 
nesting of parallel operators in the corresponding source term, (2) within the encoding of a parallel operator 
or each branch of the encoding of a replicated input from the left side to each right request, which are linked 
within a chain, and (3) within the encoding of a replicated input from each branch to each next branch, where 
each branch represents an encoding of the continuation of that replicated input and the branches are again 
linked within some kind of chain. 

Indeed there is only one point, at which the way of a requests is not completely determined. That is the point 
at which right requests are linked within a chain (compare to the encoding of a parallel operator or a replicated 
input). The order in which the right requests are consumed determines their order in the chain, so these steps 
are conflicting. They are steps on the first input on output requests in procRightOutReq and on the first input 
on input requests in procLeftOutReq. 

procRightOutReq = (mi) | c a * (m t ) .p a (y, l s , s, z) .( 

(vm i<up ) (m* (y',lr,r) ,([y' = y]r (lr,l s ,l s , s,z) | m~(y',lr,r)) 

| (y m^ (m ijUp -» m t | ~cZ (m^) ) 
I P^p~(y,ls,s,z)) 
procRightlnReq = c^" (m ) \ c* (m a ) .p t (y, l r , r) .( 

(ym Q ^ up ) ( m Q * (y ', l Sl s,z) . ([ y' = y]r(l s , lr, l s , s,z) \ m 0jUp (y 1 ', l s , s,z)) 

| (v m a ) (m 0:Up -» m \ ~Ci (m )) ) 
I W^p(y,lr,r)) 

In both cases immediately an instantiation of a chain lock carrying a request channel is unguarded. So the 
lemma holds, because its precondition is violated. 

Let us have a look at the remaining request channels. Within the left side of the encoding of a parallel operator 
there arc two restricted different replicated inputs on requests channels. Note that, the encoding function 
places all inputs or replicated inputs under restriction, i.e., for all source terms their encoding has no inputs 
or replicated inputs on free names. Because of that, for the request channels restricted at the left side of the 
parallel operator encoding there is exactly one replicated input and no other input. Thus it does not matter 
how many other steps on the same request channel may appear within the sequence T t=> Ti , the step T 1—7^ T\ 
can be performed before or after that sequence and in both cases the same term T3 is reached. 

3 Note that in most cases the considered names are restricted, so a simple alpha conversion may change them. Because of 
that the use of concrete names in the following case split should not imply that we consider steps on these specific names. 
Instead the names refer to the meaning which is related to them by the encoding function. 



Beside the already considered possibly conflicting input, there are two different replicated inputs on request 
channels and no other input on request channels within procRightOutReq. The link of the first is bounded by 
a guarding replicated input on a chain lock. The link of the second is restricted. So we can again apply the 
argumentation of the case before. The same applies to procRightlnReq. The two links of replicated inputs in 
pushReq and the four links of replicated inputs pushReqOut are restricted, apart from that, this case is similar to 
the cases before. In opposite, in case of pushReq In the links of both replicated inputs are bounded by a guarding 
input, apart from that, this case is similar to the cases before. 

Case of c , a: These names is used as chain locks carrying a request channel (compare to Definition |20|). Those 
chain locks are used by the encoding function to direct the combinations of left and right requests in the encoding 
of a parallel operator as well as in the encoding of a replicated input. In order to avoid divergence, requests 
can not be copied arbitrary often. To ensure that indeed each left request is combined which each possible 
matching right request, the right requests are linked within some kind of chain or list, along which the left 
requests are forwarded. Again to avoid divergence these chains can not be infinitely long, so c a and allow to 
extent these chains by a new right request as soon as its last place is occupied. Since these names are generated 
under restriction, for each of them there is exactly one replicated input and no other input. Because of that it 
does not matter how many other steps on the same names may appear within the sequence T l==> T2, the step 
T 1 ; y T\ can be performed before or after that sequence and in both cases the same term T3 is reached. 

Case of /, 4, 4-, hi h- Any of these names refer to a sum lock in the encoding given in Figure 2] By Definition [Ml 
steps on sum locks are no pure administrative steps. 

Case of s: s is used by the encoding function to introduce sender locks. For steps on sender locks it suffice to 
repeat the argumentation given in the proof of Lemma [5] for sender locks. 

Case of r: In case of receiver lock, since they are generated under restriction, for each receiver lock there is exactly 
one replicated input and no other input. Because of that it does not matter how many other steps on (the same) 
receiver lock may appear within the sequence T t=> T 2 , the step T 1— —>• J\ can be performed before or after that 
sequence and in both cases the same term T 3 is reached. 

Case of c r j : c r i again is a chain lock, this time carrying a translated source term name. Intuitively, it is used by 
the encoding function for a purpose similar to the usage of chain locks carrying a request channel. Instead of a 
chain of right requests, c r i as well as c r 2 are used to build up a some kind of chain of the encoded continuations 
of several reductions on the same encoded replicated input. As already explained our encoding J • ] relies on 
the structure with is build by the parallel operators in the corresponding source term. Each reduction of a 
replicated input changes this structure. To allow for different encoded continuations to communicate among 
each other or with the encoded replicated input we link the encodings of the continuations. This time we have 
to add a new member, i.e., an encoded continuation, to the chain whenever the encoded replicated input is used 
to emulate a step. Therefore c r i is instantiated within the then-case of the test-statement in the encoding of a 
replicated input. Since c r i is generated under restriction, for each c r i there is exactly one replicated input and 
no other input. Because of that, it does not matter how many other steps on the same name may appear within 
the sequence T !==>• T2, the step Tt—^Ti can be performed before or after that sequence and in both cases the 
same term T3 is reached. 

Case of c r 2 : To link the members in the chain of right requests for each new member a new m or uii is restricted 
and transmitted over c or Cj . The encoded continuations of a replicated input are linked over and r Q , which 
are again restricted for each encoded continuation. c r g is used to transmit these new restricted names to the 
respective next member of the chain. Note that, this kind of link is generated always under restriction. Initially 
there is exactly one unguarded output and one input, guarded by a replicated input on a chain lock. Reducing 
this input immediately unguards some instantiations of chain locks, so the lemma holds, because its precondition 
is violated. Also note that, due to several emulations on the encoded replicated input, there may be several 
unguarded inputs on c r 2 . The order in which these inputs are consumed determines the order of the encoded 
continuations within the constructed chain. Because of that steps on c r 2 can be indeed conflicting. 

Case of y, y', z: These names are used by the encoding function as values only, but never as links. So there are no 
(pure administrative) steps on these names. 

Case of i, /: These names are used only to implement the test-statements and the instantiation of sum locks. The 
reduction of a test-statement is performed in two steps. The first consumes the instantiation of a sum lock and 
is thus not a pure administrative step. For the second one — necessary to unguard the then- or else-case of a 
test-statement — it suffice to repeat the argumentation given in the proof of Lemma [5] for these kind of steps. 

□ 

Note that the proof above provides a detailed explanation of the purposes of the names reserved by the encoding 
function [ ■ ]™. Moreover note that the pure administrative steps that are conflicting are exactly the steps that 



introduce additional causal dependencies (compare to [PSNllj and thus prevent the preservation of the degree of 
distribution (compare to Section 4 in |PN12| ). In the following we strongly rely on the Lemmata \§\ and ITUI because 
they basically allow us to ignore all not conflicting steps while considering the reachability of success or translated 
observables in the next section. 

In order to show that the remaining pure administrative steps do not cause any problems but in fact, as described 
in the proof of Lemma 1101 do only influence the order of right requests in the chain of right request or the order of 
encoded continuations of a replicated input generated by its encoding, we prove that those steps never cause any 
deadlock. Note that, |Nes00j proves that the encoding [ • ] does not introduce deadlocks. 

Lemma 11. Pure administrative steps do not introduce deadlocks. 

Proof. In case of a step on a sender lock or a step which does not unguard an instantiation of a chain lock, this 
lemma directly follows by Lemma [TUl 

In case of a step on a request channel which does unguard an instantiation of a chain lock (compare to the first 
case of the proof of Lemma fT0|). a step on the unguarded chain lock unguards another input on the same request 
channel. Moreover the corresponding continuations differ only on a single name free to that continuation. Let us 
denote the first such continuation by A and the second by B, and the free link name by p. Then it turns out, that 
B is connected to A by p and either A is connected in a similar way to another such continuation or A is connected 
to the requests from the left. The only requests travelling along p are left requests. However as soon as they arrive 
A they are copied and transmitted to B. Because of that the order of A and B in that chain does not matter (at 
least as long as we do not consider causal dependencies). Of course, the step on the chain lock unguarding B is 
not forced to be performed immediately after the step on the request channel, but by Lemma [TU] it will eventually 
happen. So the step on the request channel blocks alternative steps on this request channel for some time but not 
for ever, i.e., it does not introduce deadlock. 

In case of a step on a channel of multiplicity two — let us denote it c — which does unguard an instantiation of 
a chain lock (compare to case c r 2 of the proof of Lemma 1101) . immediately an other output on c is unguarded. As 
in the case before by the communication on the chain lock, the communication over c links the encodings of the 
continuations of the respective replicated input, in this case by two request channels. Apart from that, the situation 
is exactly the same as before. If there is an other encoded continuation of that replicated input — caused by another 
emulation — it will eventually be linked within the chain and all requests that arrive at a previous member of that 
chain are forwarded to that member. Note that the encoded continuations initially are all equal. So the chains 
resulting from different orders of two members, that were available at the same time, are equal. We conclude that 
a step on c can not introduce deadlock. □ 

Lemma 12. Impure administrative steps do not introduce deadlocks. 

Proof. In [ • J a any impure administrative step reduces a test-statement by consuming an instantiation of a sum lock 
(compare to Definition |24|). Deadlock occurs, if — due to interleaving of these test-statements — the instantiations of 
a subset of the sum locks are consumed, such that none of the involved test-statements can be resolved. As already 
stated in (NesOO a total ordering on the sum locks suffice to circumvent any potential deadlock. Note that the 
encodings of parallel operator and replicated input implement such a total ordering on sum locks. They somehow 
reuse the structure generated by the parallel operators of the corresponding source term to force the nested test- 
statements to always test the lock first, which is according to that parallel structure left to the other one. Since the 
parallel operator is binary, this structure is a binary tree. So testing always the left lock first, indeed implements a 
total ordering. □ 

Note that, by Lemma [32] at page EH core steps and the source term steps of the corresponding emulations 
coincide. So Lemma [3"2l in combination with the Lemma [TT] and Lemma [T2l proves that the encoding [ • ]™ does not 
introduce deadlocks. 

2.4 Translated Observables and Choosing a Bisimulation 

In order to prove the presented encodings correct with respect to the criteria of Gorla we have to choose an 
equivalence x for operational correspondence (compare to Definition [9]). In jGorlOj Gorla describes x as follows: 

"x is a behavioural equivalence needed to describe the abstract behaviour of a process. Usually, x 
is a congruence at least with respect to parallel composition; it is often defined in the form of a barbed 
equivalence or can be derived directly from the reduction semantics." 



Moreover, by the criteria in Section ITT51 we know that x should be success respecting (compare to Definition [T5|) . 
The main purpose of x in the definition of operational correspondence is to abstract from junk, i.e., remains left 
over by former emulations that do not influence the abstract behaviour of a target term. Usually, two kinds of junks 
are distinguished inactive junk, i.e., remains that neither can perform further reductions on its own nor interact 
with the surrounding target term, and active junk, i.e., remains that may by reduced or even interact with the 
surrounding target term. Of course, proving an encoding to be good requires to prove that its active junk does no 
harm, i.e., does not influence the abstract behaviour of the target term. However, the presented encodings [ ■ J* and 
[ • ]™ induce the consideration of a second dimension of junk, namely observable and inobservable junk. In most 
cases developers of encodings make sure that all produced junk is inobservable, i.e., using the standard notions of 
observables for the target language neither the steps on junk nor the junk itself is observable. Unfortunately, as for 
the presented encodings, it is not always possible to define the encoding function such that all produced junk is 
inobservable. 

In the 7r-calculus observables are usually defined to be the unguarded input or output guards of a term, whose 
channel name is not restricted (compare to Definition [4]) . To encode sums both encodings split up the summands 
into parallel. Of course, while doing so, the information which of these summands originally belongs to the same 
sum gets lost. To recover it, the encodings introduce sum locks, which cover a boolean value to indicate whether the 
respective summands of that sum can still be used to complete an emulation or whether a former emulation already 
consume one of the summands and thus no other can be used any more. Thus the encoding functions translate a 
source term observable into an observable — in case of [ ■ ] — or a request — in case of [ • ]™ — both times augment 
with the information covered by the sum lock. So source term observables are not translated into single observables 
again. 

Definition 25 (Translated Observables). Let T G 'Pat[.] s - Then T has a translated input observables y, 
denoted by T \, s y , if 

3T', T{, e V & . 3x c N . 31, l',s,zeN . 

(T= (vx) (T' | y (l\ s, z) .test I then T[ else T' 2 | I(T)) \JT=(vx) (T' | y* (l',s,z))) Ay £3; 

and T has a translated output observables y, denoted by T \?L, if 

3T' 6 V a • 3x C N . 3l,s,z G N . T= (ux) (T 1 \y(l,s,z) | 7(T» Ay^i 

Let T G "Pafj . jm. Then T has a translated input observables y, denoted by T .J,™, if 

3T' G V a . £ C N . 3 Pi , I, r G M . T = {vx) (T' \ ft (y, I, r) \1{T)) A y t £ 

and T has a translated output observables y, denoted by T \J^, if 

3T' G Pa ■ x C7V . 3p a , l,s,z£ TV . T = (vx) (T' p^{y,l,s,z) | 7 <~T» A y (f, x. 

Moreover for some input or output observable [i we define T ^ = 3T G 7r a . T t=4> T A T ^ and T JJ,™ = 3T G 
ir a .Tt=*T' AT' I™. 

Note that for all target terms T G "P a t[ ] m any output with three parameters is an input request and any 
output with four parameters is an output request. So a simple typing suffice to securely identify requests. Since 
requests already contain a reference to their related sum lock, the identification of the related sum lock instantiation 
is unambiguous as well. The condition y £ x is necessary to rule out translated observables that corresponds to 
invisible in- or outputs of the source term (compare to Definition 0] at page [3]). To show that the notion of translated 
observables indeed captures our intuition we prove that the set of observables reachable for a source term coincides 
with the set of translated observables reachable for its encoding. 

Lemma 13. The set of reachable observables of a source term and of reachable translated observables of its encoding 
coincide, i.e., 

VSgP s .V,igA/-U/7.S^ iff ISJl^l 

and 

VSeVm.Viieffu7r.su,, iff [S]™^. 



Proof. By Corollary [3] stating that initially all sum locks are instantiated positive and Figure[l]the set of observables 
of a source term S E P m and the set of translated observables of [ S ]™ coincide, i.e., 

VSeP m .VneATuJr.S^ iff I SO" 1 - 

In case of [ • J a we obtain a similar result after reducing all instantiation of receiver locks, since they guard the 
respective inputs (compare to Figure[3]). The lemma then follows by operational correspondence, i.e. by the Lemmata 
M at page [371 ED at page EH and [3J at page gffl □ 

The problem now is, that the completion of an emulation changes positive instantiations of sum locks into 
negative ones and so obviously influences the translated observables, but the corresponding requests — in case of 
[ • ] — or in- and outputs of other summands — in case of [ • ]^ — remain as observable junk. While active junk often 
aggravates the proof of correctness of an encoding, due to intricate proofs to show that it does no harm, observable 
junk turns out to be even worse for an encoding, because it prevents for the use of standard equivalences to describe 
the abstract behaviour of a target term. 

Since the target language is the asynchronous 7r-calculus, it seems natural to choose weak asynchronous bisim- 
ilarity w a or asynchronous barbed congruence = a . Unfortunately for both choices the presented encodings are 
not good. Consider for example the source term S — (y x) (x + y \ x) . It can perform a reduction to 0. But, all 
derivatives of its encoding, i.e., all T E P a with [ S f=> T or [ S J" 1 t=> T, are neither asynchronous bisimi- 
lar nor synchronous barbed congruent to the encoding of 0, i.e., T ^ a (y I) (I(T)) and T ^ a (u I) (I(T)), where 
[ J® = [y V) (7 (T)) =[[ ]"\ Note that this is not due to the encoding of 0, which is indeed weak asynchronous 
bisimilar to again, but to the observable junk, which suffice to distinguish the remains of emulations from 0. 
Because of this, a proof of the correctness of these encodings with respect to « a or = a fails due to operational 
correspondence (compare to the Definition [9]) . Of course, you might argue that an encoding that can not get rid 
of observable junk is no good encoding. On the other side, Nestmann in [NesQO] gives some good reasons to accept 
[ • Y a as a good encoding. Moreover, the translation of observables into something different seems to be a quite 
natural manner of encoding functions. And indeed rephrasing a standard equivalence to take instead of observables 
translated observables into account suffice to turn it into an equivalence that describes the abstract behaviour of 
encoded terms. The same holds if we do not consider observables at all, but e.g. only reachability of success. 

Note that to test a sum lock it has to be consumed first. Analysing the encoding function we observe that in each 
case an instantiation of sum lock is consumed, another instantiation of that lock is restored as soon as the respective 
test statement is completed. However, since there may lay many steps between the start and the completion of a 
test statement, instantiations of locks may temporally not be available. Because of that, we will use the notion of 
P JJ.™ instead of P J,™ in the following. 

Definition 26 (Translated Barbed Bisimilarity). Let P,Q EP a . Then P and Q are translated barbed bisim- 
ilar with respect to [ • J*, denoted by P « a Q, if 

1. PUs iffQ^s, 

2. for all (meNuJI, P JL* iff Q ^ 

3. for all P' e P a , P i — > P' implies Q 
4- for all Q' G P a , Q i — > Q' implies P 

And P and Q are translated barbed bisimilar with respect to [ • ]™, denoted by P Q, if 

2. for aline AT I) Jf, P Jj™ iff Q 1$, 

3. for all P' eP a; Pi — > P' implies Q \=> P' , and 

4. for all Q' E P a , Q i — > Q' implies P Q' . 

Note that the first condition of each equivalence ensures that it is success respecting as required in Section 11.31 
by Definition [T3J Conditions 2. to 4. than define a version of weak barbed bisimilarity which utilises translated 
observables instead of standard barbs. Note that we consider the translation of input as well as output observables, 
although our target language is asynchronous. However, since in case of [ • ]™ both kinds of source term actions are 
translated into requests and instantiations of sum locks, i.e., into outputs, the presented kind of barbed bisimilarity 
does consider barbs on outputs only. So it is an asynchronous variant of barbed bisimulation. Moreover note, that 
due to the definition above we do not consider any barbs except for translated barbs. However, analysing the 
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4 Note that we present this fact just to visualize our intuition. We do not use it within another proof. 



encoding function [ • ] , we observe, that for all target terms all free in- or outputs are on the request channels pi 
and p . So, since we do only consider target terms, requests are indeed the only interesting barbs of [ • ] m . 

Alternatively, we could decide not to consider barbs at all, by omitting the second condition of f« a and ps™! . 
We result then in an equivalence that considers only reachability of / as abstract behaviour of a term. Note that this 
intuition goes along very well with the criteria defined by Gorla as they also do only require a similar reachability 
of /, because reachability of success is defined independent of a specific source or target language. An advantage of 
such an equivalence is the fact, that it is independent of the considered encoding function. However, the resulting 
equivalence is obviously strictly weaker then « a and w" 1 ]^ . Moreover, « a and « a \ much better describe how 
the encoding function proceeds source terms and emulate source term steps. So we will use these equivalences in 
the following. 

In case of [ • ] we are faced with an other problem concerning the choice of an appropriate equivalence, although 
that problem is by far not that crucial as observable junk. As explained above, the encodings of structural congruent 
source terms can differ in the number and nature of reachable intermediate states (compare to Examplc[T] Definition 
1231 and the following discussion above). Operational Soundness explicitly allows for intermediate states, i.e., target 
term states that due not map to the encodings of any of the corresponding source terms. However, if x does 
distinguish target terms by reachability of intermediate states, we have a problem with the Cong rule of Figure [2] 
and operational completeness of Definition [5] Let us consider the source terms S = (a. Si + a. S2) \ a. S3 \ a. Si and 
S' = a. S3 I (a. Si + a.5 2 ) I a.S*4 again. The source term b.S \ b can reduce to S but by the Cong rule it can reduce 
to S' as well. [ • ]™ can emulate the first step modulo w™]^ but not the second step. Note that the Cong rule 
is used to shorten the presentation of the reduction semantics, but it is neither necessary nor was it the originally 
choice. So the most natural way to circumvent this problem is to rephrase the rules of the reduction semantics by 
avoiding the Cong rule and with it the possibility to arbitrary reorder the subprocesses during reductions. However 
we can also circumvent this problem by using an equivalence which does not distinguishes terms by the reachability 
of intermediate states. 

Definition 27 (Translated Barbed Bisimilarity). Let P, Q G P a . Then P and Q are translated barbed bisim- 
ilar with respect to [ • J , denoted by P «™ 2 Q> */ 

1. P V iffQU, 

2. for all fieJVU 77, P JJ m iffQ fy™, 

3. for all P' G P a , P t=> P' implies that there exists some P" G P a such that Q t=> «™ 2 P" an d P' l=== ^ P"> an d 
4- for all Q' G P a , Q l=> Q' implies that there exists some Q" G P a such that P t=> « a n 2 Q" and Q' l=> Q" . 

Note that the second version of «™ is strictly weaker then the first version and that we only use it to circumvent 
the problem with the Cong rule in operational completeness (and the therefore necessary Lemma l2"Tj) . Because of 
this we prove the remaining results using the stricter equivalence; silently omitting the subscript 1. 

Before we use these relations, we prove that they are indeed equivalences. 

Lemma 14. All presented translated barbed bisimulations are equivalence relations. 

Proof. We have to show that « a 1 > and ^ a 2 are reflexive, symmetric, and transitive. Reflexivity and 

transitivity follow directly by definition. For transitivity of w" 1 ]^ assume P, Q,R G P a such that P ^™i Q and 
Q R. By the first condition we have P JJ^ iff Q JJ./ iff R JJv. And by the second condition for all fi G JV U J\f 
we have P JJ.™ iff Q JJ m iff R JJ. m . So we can conclude that P JJ^ iff R JJv and P JJ.™ iff R JJ™. 

By the third condition for all P G P a with Pi — > P' there is some Q' G P a such that Q Q' and P ^1 Q '■ 
Without loss of generality let us assume, that the sequence Q l=> Q' is of length n, i.e., there are Qi, . . . , Q n G P a 
such that Qo 1 — > Qi 1 — > ■ ■ ■ 1 — > Qn, Qo = Q, and Q n = Q' ■ Let R = Rq and R' = R n . Then, by the third 
condition, for each step in Q l=> Q', i.e., for each Qi-i 1 — > Qi with < i < n, there is some Ri G P a such that 
Ri-i t=> Ri with Ri ii™ \ Qi. So we conclude that for all P' G P a with P 1 — > P' there is some R' G P a such that 
R t=> R 1 and P' ^™i R' ■ The argumentation for the last condition is similar. 

The argumentation for ii s a and w a 2 is similar. □ 

The observable junk does not only rule out standard equivalences but also congruences with respect to contexts, 
that allow for interaction with observable junk. In both encodings such an interaction can for instance lead to a 
positive instantiation of a formerly negative instantiation of a sum lock and so turn observable junk into a translated 
observable, or it can instantiate a sender lock and so complete emulations on junk. 

Example 2. Let us consider the target terms T x = (v I) ([y./]® | 7(_L)) and T 2 = {vl) ([yV] m | T <JL>) . By the 
Lemmata l26l and 1271 in the next section, we prove that both terms are junk. They be produced as remains of emula- 
tions (or a part of such a remain), e.g. for a source term x + y./ \ x. Since neither T\ nor T 2 reaches any translated 



observables or unguarded occurrence of /, we have Tj. [ ] a and T 2 «™ [ J™. However, we can distinguish T\ 
from \ f a by the context C x ([•]) = [•] | # (y) (-, s, -) .1, because C x (T x ) ^ but C x (0) ^ So Cj (Ti) & C x (0). 
Accordingly, we can distinguish T 2 from [ ]™ by the context C 2 ([•]) = [•] | p (—, — , s, — ) .s, where p is the free 
output request channel of [ y./]™. Again we have C 2 (T 2 ) JJv but C 2 (0) jjv, i.e., C 2 (T 2 ) C 2 (0). 

Because of this, in order to prove operational completeness, we have to reduce the number of contexts we consider 
to obtain a congruence. Intuitively, we consider only contexts that respect the protocol of the encoding function. 
Thus, we consider only contexts that, if their argument is a target term as for instance the encoding of 0, result in 
a target term. 

Definition 28 (Translated Barbed Congruence). Two terms Ti,T 2 G V a are translated barbed congruent 
with respect to [ • ] a , denoted as T\ =| T 2 , if 

VC ([•]) G P a -+ P a . C ([ fj G VAi . n implies C (T x ) « s a C (T 2 ) . 

Two target terms T\,T 2 G P a are translated barbed congruent with respect to [ • ]™, denoted as T\ T 2 , i/ 

VC ([•]) e P a -> P a . C (I C) G 7Y[ . ,» implies C [T{] C (T 2 ) . 
Two target terms Ti,T 2 G Pa are translated barbed congruent w«£/i respect to [ • ]™, denoted as T\ =™ 2 */ 

VC ([■]) G ^ -> ^ • C (I D G PaT[ . ,» implies C (Ti) < 2 C (T a ) . 

Note that we again usually only consider the stricter first variant of the congruence =™, while silently omitting the 
subscript 1. Operational correspondence considers only target terms, so it would suffice to define the congruence 
over target terms only. However, in defining it over all terms of the target language we gain more flexibility. We 
will use these flexibility in the proof of operational completeness to stepwise reduce junk which in some cases leads 
to non target terms. Since these non target terms are behavioural equivalent to the considered target terms, they 
serve as connecting pieces to link the target terms modulo =| or =™. Moreover note that the respective congruence 
relations are strictly weaker than their corresponding equivalences. 

Example 3. Let us consider the target terms Ti = [y./] a , T[ = [ y.O ] a , T 2 = [y./C and T 2 = [y.O J™. 
Obviously T x « a T{ and T 2 « a n T 2 . But neither T x =| T{ nor T 2 =™ T 2 , because in both cases the context has 
only to provide a translated input observable on ip s a (y) or </?™ (y), respectively. So in case of [ • J the context 
C ([']) = H I I x J a suffice to distinguish T x and T{, because C (Ti) 4^ but C (T{) f /. The argumentation for [[ ■ J" 1 
is similar, but due to the complex encoding of the parallel operator the respective distinguishing context is rather 
large. Because of that, intuitively, two equivalent target terms are congruent, only if the encoded continuations of 
their translated observables are again equivalent. 

Of course, all presented congruences are again equivalences. 
Lemma 15. All presented translated barbed congruences are equivalence relations. 

Proof. Let T U T 2 ,T 3 G P a . Then C (T x ) s£ C (T x ) for all contexts C ([•]) G P a -> P a ; so T x =\ Ti. Moreover, if 
Ti =1 T 2 , then C (Ti) C (T 2 ) for all contexts C ([■]) G V a -> V a such that C ([ ] a ) G PJj ■ ]»• Since « a is an 
equivalence, then also C (T 2 ) C (T x ) for all such contexts, i.e., T 2 ee| Ti. Finally, if T x T 2 and T 2 S a T 3 , then 
C (Ti) « a C (T 2 ) for all contexts C ([•]) G P a -)• Pa such that C (I ] a ) G P a f[ . ]», and C (T 2 ) C (T 3 ) for all such 
contexts. So also C (T\) « a C (T3) for all such contexts, i.e., T\ = a T3. We conclude that = a is an equivalence. 
The argumentation for =1^ and ="2 is similar. □ 

Moreover, the presented congruences include the structural congruence on the target language, because it is 
already included in the respective bisimulations. 

Lemma 16. Translated barbed bisimulation includes structural congruence, i.e., 

VTi,T 2 G P a • Ti ee T 2 implies T x « a T 2 A T x «™ T 2 . 

Proof. Let us assume Tj ee T 2 . Then, by rule Cong in Figure [2l Ti and T 2 can perform exactly the same steps 
such that the successors are again structural congruent. Note that this holds even in case of [ • J" 1 and is obviously 
a stronger feature than the third and fourth condition of (compare to Definition Wf\ . Since, by Definition [TT1 

reachability of success is defined modulo structural congruence, T\ and T 2 have the same chance to reach success, 



i.e., T\ JJ./ iff T 2 JJv- Similarly, translated observables are defined modulo structural congruence for both encodings 
in Definition 1251 Note that we do not consider translated observables on restricted names, since the corresponding 
in- and outputs in the source terms are no observables as well. Because of that translated observables can not be 
changed by alpha conversion. So Ti and T 2 have the same set of translated observables and the same chance to 
reach a translated observable, i.e., (Ti iff T 2 (Ti |™ iff T 2 |™), (Ti ^» iff T 2 JJ.^), and (Ti J]™ iff T 2 J!™) 
for all /Lt G A/" U Jf. So Ti w° T 2 and Ti T 2 . □ 

Lemma 17. Weak translated barbed congruence includes structural congruence, i.e., 

VTi, T 2 G 7> a • Tx = T 2 implies T x S£ T 2 A Ti =™ T 2 . 

Proof. By Definition [28l =| is the largest congruence on contexts restricted to target terms included in , and =™ 
is the largest congruence on contexts restricted to target terms included in . Note that Definition [28] restricts 
only the contexts but not the considered terms. Thus, since by Lemma [T6] structural congruence = is included in 
«3 and «™ , it is included in =| and □ 

Remember, that to our intuition pure administrative steps are only pre- or postprocessing steps that do not 
influence which emulations can be completed. To underpin that intuition, we prove that pure administrative steps 
do not change the state of a target term modulo the considered equivalences and congruences. 

Lemma 18. Pure administrative steps do not influence the state of a target term modulo translated barbed bisimi- 
larity or translated barbed congruence with respect to [ • J a , i.e., 

VT, T' G Paf[ . ]| . T\==?T' implies T^T'aT^ T'. 

Proof. Translated barbed bisimilarity is some kind of weak bisimilarity that takes instead of observables the reach- 
ability of / and the reachability of translated observables into account. Note that it is not possible to reduce /. 
So, in case T t=> T', the only way that leads to -1 (T JJv iff T' -IJv) is that in the sequence of steps from T to T' 
there is a step that rules out a former possible way to unguard some occurrence of /. Since by Definition [55] pure 
administrative steps can not consume translated observables, the same holds for the consideration of translated 
observables. We have to show, that it not possible when using only pure administrative steps to rule out a way to 
a translated observable or an unguarded occurrence of /. 

Obviously, in case none of the pure administrative steps rules out any other sequence of steps, i.e. if none of the 
administrative steps is in conflict to any other sequence of step, this condition holds. Because of that, by Lemma 
El Tt=^T' implies (T JJv iff V \/). 

For the same reason, and since pure administrative steps do neither consumes positive instantiations of sum 
locks nor outputs on translated source terms, they do not influence the set of reachable translated observables, i.e., 
T iy iff T' iy for all /i G AfUAf. Note, that such a step can restore a positive or negative instantiation of a sum lock 
by resolving a test on a negative instantiated sum lock or can unguard new requests and sum lock instantiations 
by a step on a sender lock, so pure administrative steps influence the set of translated observables. But, since they 
do not rule out a run that leads to a translated observable, they do not influence the set of reachable translated 
observables. So T *° T'. 

Since pure administrative steps do not influence the state of arbitrary target terms modulo «| and since the 
congruence =| does only consider target term contexts (compare to Definition I28[) . pure administrative steps do 
not influence the state of target terns modulo =|, i.e., T =| T'. □ 

Lemma 19. Pure administrative steps do not influence the state of a target term modulo translated barbed bisimi- 
larity or translated barbed congruence with respect to [ • ] , i.e., 

VT, T' G PaT[ . jm .T\==?T' implies T T' AT ~™ T'. 

Proof. Translated barbed bisimilarity is some kind of weak bisimilarity that takes instead of observables the reach- 
ability of / and the reachability of translated observables into account. Note that it is not possible to reduce /. 
So, in case T t=> T', the only way that leads to -1 (T JJv iff T' JJv) is that in the sequence of steps from T to T' 
there is a step that rules out a former possible way to unguard some occurrence of •/. Since by Definition [55] pure 
administrative steps can not consume translated observables, the same holds for the consideration of translated 
observables. We have to show, that it not possible when using only pure administrative steps to rule out a way to 
a translated observable or an unguarded occurrence of /. 

Obviously, in case none of the pure administrative steps rules out any other sequence of steps, i.e. if none of 
the pure administrative steps is in conflict to any other sequence of steps, this condition holds. Fortunately, indeed 



most of the pure administrative steps are not conflicting. By Lemma [TU1 the condition T «™ T 1 holds for all steps 
that are on a sender lock or do not unguard an instantiation of a chain lock carrying a request channel. 

Revisiting the argumentation in the proof of Lemma [10] we observe that the remaining steps either influence 
the order of requests in chains of right requests (compare to procRightOutReq and procRightlnReq) or the order of 
encoded continuations in the chain build up by the encoding of a replicated input. By Lemma [TTJ these steps do not 
introduce deadlock, moreover revisiting the argumentation of the proof of this lemma we observe, that their impact 
on the ordering within the chain is indeed their only impact on the behaviour of target terms. Since all encoded 
continuations of a replicated input are initially the same, their order does not matter for the reachability of / or 
translated observables. The same holds for the order of requests, because regardless of their order eventually each 
combination is checked. Indeed, a different order may only lead to more or less necessary invisible steps on requests 
channels to combine a specific pair of requests. Because of that, even the pure administrative steps that unguards 
an instantiation of a chain lock do not influence the state of the target term modulo ps" 1 . So T « a X". 

Since pure administrative steps do not influence the state of arbitrary target terms modulo «™ and since the 
congruence =™ does only consider target term contexts (compare to Definition I28[) . pure administrative steps do 
not influence the state of target terns modulo =™, i.e., T =™ T' . □ 

Note that due to these two lemmata we can mostly ignore pure administrative steps in the following proofs, 
since they are invisible modulo the considered equivalence and congruence relations. To handle the Cong rule in 
the proof of operational completeness we prove that both encodings preserve structural congruence of source terms 
modulo the presented equivalences and congruences. 

Lemma 20. The encoding [ • ] a preserves structural congruence of source terms modulo translated barbed bisimi- 
larity and translated barbed congruence, i.e., 

VS,S> eVs.S^S' implies {Sf^l { S' J' A [ S ] a [ S' | a . 

Proof. The strict use of the renaming policy </?|, i.e., the fact that source term names are translated into single 
names not used by the encoding function for special purposes, ensures the preservation of equality modulo alpha 
conversion. Since the parallel operator, the match operator, and restriction are translated rigidly, the encoding [ ■ ] a 
preserves structural congruence of source terms for all rules except for P | = P, i.e., if S and S' are structural 
congruent without using the rule P | = P, then [ Sf a = [ S' ] a . By Lemma QH then [ S ] a »| [ S' ] a and, by 

Lemma[nithen[SJ a - a IS'j:. 

The rule P | = P is not preserved, because the empty sum is not translated rigidly, so e.g. | = but 
[ | ] a = (y X) 1 (T) | (y I) 1 (T) ^ {v 1)1 (T) = [ J a . Note that, because of the renaming policy ip s a and the rigid 
translation of restriction, the rule {un)0 = is preserved, i.e., since ip\ (n) ^ fn(JO] a ), we have [ (vn)0\ s a — 
(y ty? a {n)) (y I) 1 (T) = (W)I(T) = [ ]!. However, since is translated into a closed term that can not perform 
any step, its encoding behaves as 0. In particular [ ] a can not interact with any context and does not reach success 
or any translated observable on its own. So, even in this case, we have [ S ] a « a [ S" ] a and [ S ] a =| [ S' ] a . □ 

Since [ • ]™ does not translate the parallel operator rigidly, it does not directly preserve structural congru- 
ence of source terms. But, since the encoding preserves the abstract behaviour of source terms, the encodings of 
structural congruent source terms are similar modulo equivalences measuring only these abstract behaviour. As 
already explained, to prove the following statement, the equivalence must not distinguish terms by their reachable 
intermediate states. 

Lemma 21. The encoding J • J" 1 preserves structural congruence of source terms modulo translated barbed bisimi- 
larity and translated barbed congruence, i.e., 

VS, S's^.Se S' implies [ S ]° < 2 I 5' ]™ A [ S ]» S£ 2 [ S> ]° . 

Proof. Again, the strict use of the renaming policy ip™, i.e., the fact that source term names are translated into single 
names not used by the encoding function for special purposes, ensures the preservation of equality modulo alpha 
conversion. So S = a S' implies [ S ]™ = a [ S' ]™. Also, the rigid translation of the match operator and restriction 
ensures the preservation of structural congruence modulo the rules [a = a]P = P, (vn) = 0, (yri){vm) P = 
iym) iyn) P, and P \ {v n) Q = (v n) (P \ Q) if n ^ fn(P). So, if S and S' do only differ due to one or more of these 
four rules, then [ S ]™ = [ S' ]™. By Lemma [T6l we conclude [ S ]™ I J™ an d> by Lemma [T7l we conclude 

I S C -L n 2 I S' I" 1 for both of the above cases. ' "" 

With the preservation of these rules in mind we show the lemma by an induction over the proof tree of S = S 1 ', 
i.e., over the number of structural congruence rules which are applied to show S = S' . 



Base Case: If S = S> , then [ S ] m = [ S> ] m . So, by reflexivity, [ S ]™ < 2 [ 5' ] m and I 5 J™ S£ a [ S> ] m . 

Induction Hypothesis: If 5 and 5" can be proved to be structural congruent within n applications of structural 
congruence rules, then { S ]» < 2 [ 5' ] m and [ S £ S^ a [ S> ] m . 

Induction Step: S and S" can be proved to be structural congruent within n+1 applications of structural congru- 
ence rules. Let S" e P m be such that S and 5" can be proved to be structural congruent within n applications 
of structural congruence rules and S" and S' can be proved to be structural congruent directly by one applica- 
tion of a structural congruence rule, i.e., S = S" = S' . By the induction hypothesis, [ 5 ]™ « m 2 I S" IT an d 
[S] m = m 2 [ S" Jf 1 . We proceed with a case split over the rule necessary to prove S" = S' . 
Case of Rule P | = P: In this case S" = P | and S' = P for some P 6 V m . By Figured 

I S 1 a j i Po,up ) Pi, up j ("0 3 ^i) ^o,up ; ^i,up) ( 

(vpo.Pi) ([P] m | procLeftOutReq | procLeftlnReq) 
| {vp ,Pi) ((W)7(T) | procRightOutReq | procRightlnReq) 
pushReq) 

and [ S' ]™ = [ P ] m . Obviously [ 5" ] m and [ 5" ] m are not structural congruent. However, [ P ] m appears 
unguarded within [ S" ] m , so if [ S' ] m reaches / or a translated observable then so does [ S" ]™. Moreover 
we observe, that, since the encoding of does not emit any requests, the hole right branch of [ S" ]™ 

(vp ,pi) ((W)T(T) | procRightOutReq | procRightlnReq) 

can do nothing but two steps on chain locks. Because of that requests of [ P ]™ are prepared to be trans- 
mitted to the right side by procLeftOutReq and procLeftlnReq but they are never received at the right 
side. What remains is the upward pushing of all requests of [P] m by the interplay of procLeftOutReq, 
procLeftlnReq, and pushReq. Because of that, for all target term contexts [ P | ]™ behaves as [ P J , i.e., 
I S" la *a n 2 I 5*' C and I S " C =™2 I S' ]™ Since «™ 2 and ^ m 2 are equivalences (compare to Lemmata 
[Hand US]),' by transitivity, we conclude [ S ] m «£ a [ S } ] m and [5 ] m =™ 2 [ 5' ] m . 
Case of Rule P \ Q = Q \ P: In this case S" = P \ Q and S' = Q | P for some P, Q € P m - Their encodings 
are given by: 

| S 1 a — nio : mi j Po.up i Pi, lip j j G i j TTlo.up j ^i,up ) ( 

(i/p , pi) ([ P ] m | procLeftOutReq | procLeftlnReq) 

(vp ,Pi) ([ Q ]™ | procRightOutReq | procRightlnReq) 
| pushReq) 

IS l a i ^2? 5 Po.up j Pi, up ) ^o , Cj , TRo,up i ^i,up ) ( 

(j/po, pi) ([ Q J™ | procLeftOutReq | procLeftlnReq) 

| (i/p ,Pi) ([PC I procRightOutReq | procRightlnReq) 

| pushReq) 

Since all combinations of left and right requests are checked, [ S" ] m can emulate the same source term 
steps as [ 5" ] m . However, since [ P ] m and [ Q ] m are exchanged at the outermost parallel operator the 
roles of left and right requests are exchanged. As a consequence, if a combination of requests from [ P J" 1 
and [ Q ]™ leads to a test on the respective sum locks, the order in which these locks are tested is different 
in I S" ]™ and [ S' ]"\ So [ S" ]™ and [ S' ] m differ in their total ordering of sum locks. The ordering in 
IS 1 "]™ is based on the structure induced by the nesting of parallel operators in P | Q; while the ordering 
in [ S' ]™ is based on the structure induced by the parallel operator nesting in Q \ P. Note that, since in 
both cases this structure is a binary tree, by Lemma [T^l the encoding does not introduce deadlock. But as 
explained in Example [1] the different orderings may lead to different reachable intermediate states. Apart 
from intermediate states [ S" ] m and [ S' ] m are similar, i.e., they have the same chance to reach success 
or translated observables. 

By Definition «™ 2 explicitly allows for different reachable intermediate states. Because of that, 

IS"]™ f*™2 I S' ] m - Analysing the encoding function in Figure 0] we observe that any encoded source 
term has at most two free names that are used as channels — remember that translated source term names 
are never used as channels within [ • ] m . Because of that, when placed within a target term context, [ S" ] m 
and J S' ] can start an interaction with the context only by transmitting their requests. Because we con- 
sider only target term contexts, i.e., contexts C ([•]) € P& — > V a such that C ([ ] m ) 6 P a fj . j™, the context 



respects the protocol implemented by the encoding function. So, if [ S" ]™ provides a translated observable 
and the context has the matching translated observable, then the context can interact with [ S" ]™ to 
emulate a source term step. Doing so, an encoded continuation, i.e., an encoded source term, is unguarded 
within the continuation of [ S" ] . Since S" = S', the same context can emulate the same source term step 
when interacting with [ S' ]™. Moreover, doing so, again an encoded source term is unguarded within the 
continuation of [ S' ]™ and the respective source terms of these continuations in case of [ S" ]™ and [ S' ]™ 
are again structural congruent. Because of this we can prove the preservation of structural congruence of 
source terms is also preserved modulo =™ 2 by assuming an arbitrary context and perform an induction 
over the number of emulations resulting from an interaction of the context with [ 5"' ] m . So we conclude 

Since w™ 2 an d —T2 are equivalences (compare to Lemmata [U and II 5|) , by transitivity, we conclude 
I S ]™ [ S' ]™ and [ S ]™ ^l] 2 I S' 
Case of Rule P \ (Q \ R) = (P | Q) \ R: In this S" = P (Q \ R) and S' = (P | Q) \ R for some P, Q, P G V m . 
Their encodings are given by 

I $ J a — iy j 1 Po,up 7 Pi, up 1 Co 1 C%t Wlo.up ; TH>i,up*) ( 

{vp . Pi) ([ P ]™ I procLeftOutReq | procLeftlnReq) 

I iy Po ) Pi) ( iy T^lo 5 IT^i i Po,up ) Pi. up : C , C i , TTl OU p , Tfli U p) ^ 

(f p , pi) (J Q J" 1 I procLeftOutReq | procLeftlnReq) 
I (vp ,Pi) ([ R 1™ I procRightOutReq | procRightlnReq) 
I pushReq) 
I procRightOutReq | procRightlnReq) 

pushReq) 

and 

I S ] a ^0 5 T^i ) Po,up ? Pi, up ) C , C j , TTl O U p , TTli U p ) ^ 

(l* Po 7 Pi) ( i i Po,up ; Pi, up ; ^-o j Q j TH>o,up 7 ^i,up ) ( 

(vp Q ,pi) ([ P]™ I procLeftOutReq | procLeftlnReq) 
I (vp 0l pi) ([ Q ]™ I procRightOutReq | procRightlnReq) 
I pushReq) 
procLeftOutReq | procLeftlnReq) 

I {vp 0l pi) ([ P ]™ I procRightOutReq | procRightlnReq) 

I pushReq). 

In [ 5" ]™ the encoding of Q appears left and the encoding of P appears right within the encoding of a 
parallel operator. Together they form the right branch of a surrounding encoding of a parallel operator, there 
the left branch is filled with [ P ]™. In opposite in [ S' ]™ the terms [ P ]™ and [ Q ]™ are left and right 
of a parallel operator encoding which is the left branch of a surrounding parallel operator encoding, where 
[ R ]™ appears right. However, since all requests are pushed upwards to each surrounding parallel operator 
encoding, again all combinations of requests among the three encoded subterms [P]"\ [ Q J^, and [ R ]™ 
are checked in [ S" ]™ as well as in [ S' ]™. Moreover, we observe that in both encodings [ S" ]™ and [ S' J" 1 
the encoding of P is always left to the encodings of Q and P, and the encoding of Q is always left to the 
encoding of P. So in this case [ S" ]™ and [ S' ]™ do not differ by the underlying total ordering of sum locks, 
i.e., they reach the same intermediate states. So the behaviour of [ S" J™ and [ S' ]™ does only differ by 
pure administrative steps on requests but they have the same chance to reach / and translated observables, 
i.e., [ S" ]™ «™ 2 [ S' ]™. Revisiting the argumentation of the case before we also get [ S" ]™ =™ 2 [ S' ]™. 
Since «™ 2 and are equivalences (compare to Lemmata [U and II 5|) , by transitivity, we conclude 

IS£ < 2 [5'Cand[5C-- 2 [^C- 
Else: For the reaming rules we can apply the above argumentation to show that [ S" ] a = [ S' ] a . By the 
Lemmata HH and [13 we have [ S" ]™ [ S' ]* and [ S" ]™ ^ 2 I S" ] a \ By Lemma [Hand Lemma 

1X51 ^^2 and =™ 2 are equivalences. Thus, by transitivity, we conclude [ S ]™ I iT anc ^ I & 1™ — ™2 

is' IT- "' " 



□ 



These two lemmata finally prove that the intermediate states in combination with the application of the Cong 
rule on source terms do not falsify the criterion on operational completeness modulo w™ 2 • 

2.5 Junk 

We consider remains of emulations that behave modulo « a and «™ like and do not influence the possibility 
or inability to emulate further source term steps as junk. The emulation of source term steps may leave different 
kinds of junk. So, e.g. in order to show operational completeness, we have to prove that junk does no harm. 

Of course we are only interested in kinds of junk that appear in target terms, i.e., that are pieces of target terms. 
However, to ease the argumentation on the proof of operational completeness we want to allow to stepwise reduce 
junk. Unfortunately, as soon as we reduce a target term by the first piece of junk it is often no target term any 
more. So, in order to allow for a stepwise reduction of junk, we give a recursive definition of what it means to be a 
piece of a target term. 

Definition 29 (Piece of a Target Term). A term T G P a is a piece of a target term of [ • J*, denoted by 

T G 7>aT[ • ]j V (37", J G P a . 3i C N . T = (vx) T' A T **(yx) (T' \ J) A (vx) (T 1 \ J) G qj (Vi { . f J) . 
Accordingly, a term T G V a is a piece of a target term of [ • ]™, denoted by T G (Pa[[ • ] m ), if 

T G P a t[ . ]? V (3T\ J G V & . 3x C N . T = (vx)T' A T (ux) (T' | J) A (vx) (T' \ J) G «p (7?J[ . ]»)) . 

Intuitively, the definition above allows for a piece of a target term to recover the corresponding target term by 
stepwise restoring the reduced junk. Moreover note, that, although the relations =| and =™ are not sensitive to 
divergence, they are sensitive to deadlock. That is why we require T =| (fx) (7" | J) or T =™ (I'sc) (T' | J) to 
ensure that indeed only junk is removed and so, no deadlock is introduced. 

Definition 30 (Junk). A term J G V a is called junk of the encoding [ • ] a modulo «^ , if J behaves modulo «^ 
similar to for all pieces of target terms, i.e., 

VC ([•]) eP a ^P a .C(J)e«p (VJ l . ,.) 4 mp/ Jes C (J) « s a C (0) . 

^4 term J G V & is called junk of the encoding [ • ]™ modulo «™ , z/ J behaves modulo «™ similar to /or <zZZ 
pieces of target terms, i.e., 

VC ([•]) G P a -> P a . C (J) G (Pat! . ]») imp/fca C (J) «L n C (0) . 

Since we do not consider junk modulo equivalences different from ii s & and fa" 1 , we omit the equivalence in the 
following. Moreover we omit the encoding function if the considered junk appears within both encodings. 

Of course, whenever we reduce a piece of a target term by removing junk, the result is again a piece of a target 
term. Moreover, reducing junk does not change the behaviour of such a term modulo =? a or =™. 

Lemma 22. Let T be a piece of a target term including some junk J G "P a - Then removing this junk results a piece 
of a target term which is congruent to T, i.e., 

VT G (7>at[ • n) ■ V7" G P a . Vi c N . T = (vx) (7" | J) implies [vx] T' G qj {VJ l . r J A T = s a (yx) T' 

and 

VT G (Pafi . I? ) . VT' eP a .VsCjV.rE(i/i) (T' I J) imp/ies (i/s) T" G «P (P a f[ . ]») A T ^ T'. 

Proo/. Let J G P a be junk. And let T G qj (P a f[ . ]■), T' G P a , and x C Af such that T = (i/i) (T' | J). We show 
the lemma for [ • ] . The argumentation for [ • ]™ is then similar. 

Since, by Lemma [T71 =| includes structural congruence, 7 = (vx)(T' \ J) implies T =| (vx)(T' \J). By 
Definition CM then C (T) « a C ((vx) (T \ J)) for all contexts C ([•]) G P a -> P a such that C ([ ] a ) G P a [[ . jj. Let 
C' ([•]) = (i^x) (T' | [•]). Then C is a context, i.e., C' ([•]) G P a — > P a , and, since 7 G q* (P a fj . jm) and T = C' (J), 



we have C' (J) G (VJy . ]-). Thus, C (T) r£ C (V (J) J for all contexts C ([■]) eP a ^P a such that C ([ f a ) G 

Pafj . ].. Moreover, C' (J) G <P (V^i . jm) implies C (V (J)) G (PJj . jm) for all such contexts C. By Definition [301 

of junk, then C (c' (J)) « a C (c' (0)) for all such contexts C. Since C (c' (0)) = C ((>£) (T | 0)) = C ((vi)T') 

and since, by Lemma 1161 includes structural congruence, we deduce C (c (J) J ^ a ^ (O^)^') f° r a ^ such 

contexts C. Because «| is, by Lemma [TJ] an equivalence, C (T) « a C (c (J) J for all such contexts C and 

C (V (J)) « a C for all such contexts C implies C (T) C ((f z)T') for all such contexts C. Thus, by 

Definition HSl we conclude T = a (v x) T'. 

Finally, since = a includes structural congruence and is an equivalence, T = a (yx)T' implies (vx)T' =| 
(i/ i) (T' | J). Thus, since (i/ S) (T' J) G <P (7 7 a [ [ . js), we conclude i) V G *P (P a f ( . ]=). □ 

Using this lemma we can remove junk from a target term T. As result we obtain a piece of a target term T" such 
that T = a T" or T =™ T', respectively. Then we can further reduce T' by removing junk such that we result in a 
piece of a target term T" with T' = a T" or T 1 =™ T" and so forth. Note that, we spend some effort in defining the 
notion of a piece of a target term to allow the stepwise remove of junk. This allows us to consider different kinds of 
junks separately. If we instead consider all possible junk of a target term at one go, then for the definition of junk 
it suffice to require that the context C is such that C (J) is a target term. However, it seems to be more efficient 
and more descriptive to consider the different kinds of junk separated. 

In the simplest case junk is a closed process that can not perform any step, i.e., junk is invisible and inactive. Such 
kind of junk is produced e.g. as remain of a test-statement. By Definition [5j a test-statement and the corresponding 
instantiations of boolcans arc defined as: 

7(T) 4 l(t,f).t 
]<!_) 4 Z (<,/)./ 

test I then P else Q = (ut, f) (I (t, f) \ t.P \ f.Q) for some t,f <£ fn(P) U fn(Q) 

Depending on whether we test a positive or a negative instantiation we result either in the then-case (y t, f) (P | f.Q) 
or the else-case (vt, f) (t.P | Q). Due to the renaming policy within target terms t and / are neither free in P nor 
in Q. So we can pull out the interesting cases P or Q and (vt, f) f.Q or (vt,f)t.P remain as inobservable and 
inactive junk. 

Lemma 23. For any t, f G M and any P,Q G 7\ the terms (v t, f) f.Q and (v t, f) t.P are junk. 

Proof. Let J\ — (v t, f) f.Q and J2 = (v t, f) t.P. J\ as well as J2 are closed terms, which can not perform any step. 
Moreover, they reach neither success nor any translated observable, i.e., J\ J//, J2 $s, Ji JJ^j J2 Jj^, J\ and 
J 2 #™ for all n e AfU 77. Because of that, for all contexts C ([•]) G V a -> V a we have C (Ji) « a C (0) w a C (J 2 ) and 
C (Ji) « a n C (0) « a n C (J 2 ). Thus, by Definition [301 Ji and J 2 are junk. □ 

Note that, due to this lemma, we can securely omit the remains of test-statements in the following. An other 
kind of inobservable and inactive junk is produced by the translation of the empty sum 0. It results in a positive 
instantiation of a sum lock that is not used anywhere. However, let us generalise this case a little bit to an arbitrary 
instantiation of a sum lock (either positive or negative) that is not used anywhere. 

Lemma 24. For any name I the term (u I) (1 (z)) , where z G B, is junk. 

Proof. Let J = (v I) (j(z)). J is a closed term, which can not perform any step. Moreover, this term can reach 
neither success nor any translated observable, i.e., J J , and J $™ for all G J7 U 77. So for all contexts 
C ([•]) e? a ^Pa we have C (J) w a C (0) and C (J) « a n C (0). Thus, by Definition E23 J is junk. □ 

Note that this lemma especially shows that the translation of the empty sum is junk, i.e., we translate nothing into 
nothing but junk. Moreover we will use it to reduce the remains left over by emulations. In the following lemma we 
prove, that requests on negative instantiations of sum locks are junk of the encoding from 7r m into 7r a . Note that in 
this case we consider potentially observable and active junk. 



Lemma 25. Requests on negative instantiations of sum locks are junk of [ • ] , i.e., 

VC X ([-]) eV a ^V a .V P i,y,l,reAf . 
Ci (W (y, l, r» G <p . ,») A (3T g V a . 3x C M . C x (0) = {vx) (T | 7 (_L))) 
implies Cj (ft (y, Z, r)) «™ C a (0) 

and 

VC 2 ([•]) G P a -> Pa • Vp ,j/, /, a,z G M . 

C 2 {p~o (y, I, s, z)) G V (V s S l . ,») A (3T G P a . 3i C M . C 2 (0) = {vx) (T \ 1 (_L))) 
impZies C 2 (p7 (y, Z, s, z)) w" 1 C 2 (0) . 

Proof. Let Ji = pl{y, I, r) and J 2 = p^{y, I, s, z). 

Since we require C 1 ( Ji) , C 2 (J 2 ) G *}3 (V^i . ] m ) , we consider only contexts that respect the protocol implemented 
by the encoding function [ • ]™. By analysing the encoding function in Figure 21 we observe that there are many 
forwarders for requests, i.e., many replicated inputs that consume requests and immediately restore a request on a 
different channel but with exactly the same values. Note that by such forwarders requests are multiplied. Most of 
these copies turn out to be junk. However, note that the encoding function restricts the request channels — except 
for the outermost — and provides for each such channel exactly one (replicate) input and no inputs or replicated 
inputs for unrestricted request channels. Because of that, the way a request may travel is completely determined, 
i.e., given a target term there is no choice about which way a request may take. 

Moreover, if the context puts the requests at the outermost position, then they can not be consumed at all, 
i.e., in this case the requests are observable but inactive junk. By Lemma |4j the negative instantiation of the sum 
lock I is the only instantiation of that lock and, by Lemma it can not be changed by the context into a positive 
instantiation. So, by Definition [53 the requests are not considered as translated observables, i.e., J\ $™ and J 2 J/™ 
for all n G J\f U J7. Obviously, J\ and J2 also have no possibility to reach /, i.e., J\ $s and J2 JJv- Thus for all 
contexts C x ([•]) ,C 2 ([•]) £ V a -> V a such that C x (Ji) ,C 2 (J 2 ) £ (7V[ ■ J m ) > Pi G H<k ( J i))> and Vo G fn(C 2 (J 2 )), 
we have C x (Ji) «™ C x (0) and C 2 (J 2 ) C 2 (0). 

Note that we consider only contexts C\ and C 2 , such that C x (J±) and C 2 ( J 2 ) are pieces of target terms. So all 
requests — including J\ and J 2 — origin from the translation of input or output guarded terms or replicated inputs. All 
inputs on request channels, i.e., channels that can transport either three or four values, origin from the translation 
of the parallel operator or a replicated input. We observe that, for each request, the encoding of a parallel operator 
receives from one of its encoded parameters, one copy of that request is pushed upwards. Similarly, for each request 
of each branch of an encoded replicated input one copy is pushed to the right. Because of that, requests never 
vanish. As soon as a request in a target term is unguarded for the first time, there will always be a copy of that 
request possibly on another channel but with the same values (compare to Lemma [3]). 

Note that all inputs on request channels are replicated inputs except for the first inputs in the processing of right 
in- or output requests in the encoding of a parallel operator or a replicated input (compare to procRightOutReq and 
procRightlnReq). However, even in these two cases the consumption of a request enables — after one internal step 
on a chain lock — the processing of another request in exactly the same way modulo some forwarding processes. So 
the order in which requests are consumed does not matter (compare to Lemma lit \. Moreover note, that the step 
on the chain lock is completely determined again, i.e., there is no choice about eventually doing it or how to do it. 
Because of that, the fact, that a request was already pushed further or not, does neither influence the reachability 
of success nor the reachability of translated observables. 

Except from transferring them the encoding function can proceed requests only by combining them. [ • ] 
ensures, that each pair of requests is combined at most once and that each pair of an input and an output requests, 
which do not both origin from the same leaf concerning the structure of parallel operator encodings, is eventually 
combined. Because of that, again the order in which those combinations are performed does not matter. However, 
the order in which tests on sum locks are induced does indeed matter, because a test induced on only positive 
instantiations of sum locks turns them into negative instantiations and so a former such test may influences later 
tests. Since the test is always induced on the sum locks related to the respective request, all test that are induced 
because of the requests J\ or J 2 are on at least one negative instantiation of a sum lock, i.e., on I in the current case. 
Note that, by Lemma [4] the negative instantiation of the sum lock I is the only instantiation of that lock and, by 
Lemma[SJ it can not be changed by the context into a positive instantiation. If we now analyse the test-statements 
in the encodings of an input guarded term or a replicated input, we observe that this false instantiation of I reduces 
the test-statements to some kind of forwarders that consumes one or two instantiations of sum locks and since 



there are no deadlocks on these test-statements eventually restores them on exactly the same channel and with 
exactly the same value. So again the processing of J\ or J 2 do neither influence the reachability of success nor the 
reachability of translated observables. 

So for all contexts C l ([•]) ,C 2 ([•]) G V a -> P a , such that C l (Ji) ,C 2 (J 2 ) G (Pij . jm), we have 

(Cj ( Ji) ^ iff C x (0) 4/) A (C 2 ( J 2 ) ^ iff C 2 (0) 4/) and 
(C t (Ji) ^ iff C x (0) A (C 2 ( J 2 ) 4" 1 iff C 2 (0) )%) 

for all p G N U AT. Since all steps that results from an interaction with J\ and J 2 are administrative steps, that 
neither rule out a way leading to an unguarded occurrence of ■/ nor to a translated observable, they do not influence 
the state of a term modulo . Thus, we conclude C x ( J\) «™ C 1 (0) and C 2 {J 2) C 2 (0). □ 

Next we show, that — for both encodings — encoded guarded terms linked to negative instantiations of sum locks 
are junk, as well. Note that such encoded guarded terms linked to negative instantiations of sum locks result from 
encoded sums of which already one summand was used to emulate a source term step. 

Lemma 26. For any name I, any finite index set I , all guards 7Tj, and all processes Pi G V s the term 
is junk of I ■ ]° . 

Proof. Let J = (vl) (J\ i£l [ m.Pi J® | 7 (_L)). By Definition 1501 we have to show that for all contexts C ([•]) G V a -» 
V a such that C ( J) G <P (Pafi ■ ]») we have C (J) «° C (0). 

By Lemma SJ the negative instantiation of the sum lock / is the only instantiation of that lock and, by Lemma 
[5j it can not be changed by the context into a positive instantiation. Analysing the encoding function in Figure 
[3] we observe, that all unguarded in- or outputs with three parameters in J are connected to I(J-). Thus J has 
no translated observables, i.e., J for all [1 G M U 77. Moreover, because of the guards m, J has no unguarded 
occurrence of / and can not reach some on its own, i.e., J -JJ^. 

J can perform a step on its own only if for some j G I the guard ttj is equal to r or is an input guard. Note that in 
the second case J can only perform finitely many steps on receiver locks. Since I is instantiated by _!_, [ t.Pj ]™ can 
reduce to only. Therefore, [ T.Pj ] m has to consume 7(_L) but the instantiation is always eventually restored. Be- 
cause of that, we can ignore all [ i^i-Pi ]™ for 7T,; = r, i.e., they are junk. Let J' — (v I) (jj iel n .^ T [ ^i-Pi ]™ | 7 (_L)^ . 

Moreover, obtain J" from J' by reducing all free inputs on receiver locks. 

Then J" can not perform any step, since either all remaining guards are output guards and so all unguarded 
inputs in the encoded subterms are on not instantiated sender locks, or all remaining guards are input guards and 
so the encoded subterms are input guarded, i.e., J" v/— h In case the index set {i | i G I A iti ^ t} is empty, we 
can apply Lemma 1241 Else, there are either free outputs or free inputs on translated source term names. So J" 
can communicate with the context over these translated source term names. As a result of such a communication 
a test-statement is unguarded. In case this test-statement is within J", the sum lock / is tested first. Since I is 
instantiated by _L, the test-statement restores both, the consumed negative instantiation of I and the output on 
the translated source term name, which was consumed to unguard this test-statement. Else, if the unguarded test- 
statement is not within J", then — besides the negative instantiation of the sum lock — J" includes only encodings 
of output guarded source terms. In this case all these encodings of output guarded source terms provide exactly 
one output on a translated source term name, which sends as first value the sum lock I. In the communication 
with the context one of these outputs was consumed and, because of that, the unguarded test-statement is either 
a nested test-statement testing / as second lock or it is a single test-statement testing only I. In both cases all 
information necessary to unguard and to reduce the test-statement except for the output on the source term name 
is restored. Because of that, each such output can be used as most once. In both cases no step that results from 
an interaction with J" influences the reachability of success or of translated observables. Moreover each such step 
is either a pure administrative step, which by Lemma [IS] do not influence the state of a term modulo , or it is 
an impure administrative step. Since reachability of / is not influenced at all and all translated observables of the 
context which are consumed to unguard the test-statement are eventually restored, i.e., reachability of translated 
observables is not affected, even these impure administrative steps do not influence the state of the context modulo 
»j here. 



Thus for all contexts C ([•]) £ P, -> P a , such that C ( J) G (Pa[[ . we have (C (J) JJv iff C (0) JJv) and 
(C (J) JJ^ iff C (0) JJ-fJ for all 6 J\fu77. Moreover no step of J on its own or that results from an interaction with 
J does influence the state of the context modulo . So, C (J) C (0). □ 

Lemma 27. For any name I, any finite index set I , all guards m, and all processes Pi G V m the term 

(W) (j[ln.Pit\H^)\ 

is junk of I ■ 

Proof. Let J = (v I) (H iel I iti-Pi ]™ | 7 (-L)). By Definition [30] we have to show that for all contexts C ([•]) G P a -> 
P a such that C (J) G <P (Paf[ . jm) we have C (J) s£ C (0). 

By Lemma SI the negative instantiation of the sum lock / is the only instantiation of that lock and, by Lemma 
[5] it can not be changed by the context into a positive instantiation. Analysing the encoding function in Figure 
2] we observe, that all unguarded requests in J are connected to T(_L) (compare to Definition [T9l and Lemma [6]). 
Thus J has no translated observables, i.e., J ^ for all G 77 U 77. Moreover, because of the guards 7Tj, J has no 
unguarded occurrence of / and can not reach some on its own, i.e., J J//. 

J can perform a step on its own only if for some j E I the guard wj is equal to r. Since / is instanti- 
ated by -L, \ r.Pj ] can reduce to only. Therefore, [ r.Pj ] has to consume I (_L) but the instantiation is 
always eventually restored. Because of that, we can ignore all [ 7r,.Pj ] a for iii — t, i.e., they are junk. Let 

j' = ("i) (niswri^riw)- 

Then J' can not perform any step, i.e., J' There are no unguarded inputs on free names of J'. In case 
the index set {i|i£/A7Tj^T}is empty, we can apply Lemma 1241 Else, there are free requests, i.e., free outputs 
on requests channels. So J' can communicate with the context by transmitting its requests. By Lemma 1251 these 
requests are junk. Moreover by revisiting the argumentation in the proof of Lemma [25] we observe, that the false 
instantiation of I reduces all tests on that lock to simple forwarders. As a consequence no such test can unguard the 
encoding of a guarded source term, i.e., no such test can unguard new requests or former unguarded occurrences 
of success. So again we observe that no interaction with J or J' can influence the ability of the context to reach 
success or translated observables and no step that results from an interaction with J or J' influences the state of 
the context modulo « a . 

Thus for all contexts C ([■]) G P a -> P a , such that C ( J) G <P (Pa[[ . ]»), we have (C (J) JJv iff C (0) JJv) and 
(C (J) JJ™ iff C (0) JJ-™J for all /i G Af U 77. Moreover no step of J on its own or that results from an interaction 
with J does influence the state of the context modulo . So, C (J) C (0). □ 

Analysing the encoding function we observe, that the input on a receiver lock of an encoded input guarded 
source term, that guards a test-statement, is a replicated input. Of course, such a test-statement can only be used 
once to emulate a source term step. After such an emulation this replicated input becomes junk. 

Lemma 28. For any h, h, r, s, tp™ (x) G Af and any P G P m the term 

J=r*(l 1 ,l 2 ,~,s,<f^(x)).test h then test l 2 then h (_L) |fa(_L) \s\ I P J™ else^(T) \h{±) dse~k(±) 

in combination with a negative instantiation of the sum lock that belongs to r is junk of [ • ] , i.e., 

VC([.]) eV a ^V a .Vh,h,r,s,v™(x) eAf.VP£P m .VJGP a . 

J = r* (h,l 2 ,-,s,tp 1 l 1 (x)).test h then test l 2 then^(L) | (JL) | s | [P] a else^(T) \h(±) else ^ (_L) 
AC (J) G ( P(P a r M ») A (3TGP a . 3icAA. B Pi ,y, I e M . C (0) = {vx) (T\Ti{yJ,r) | T<_1_») 
implies C (J) w™ C (0) 

Proof. Analysing the encoding function in Figure |4] we observe that the request Pi{y, I, r) implies that each test 
induced on r tests the sum lock I (compare to Lemma [6]). Since that lock is already instantiated by false, we can 
revisit the argumentation of the proof of Lemma [57] to conclude that each test induced on r reduces to a simple 
forwarder, which restores all consumed information. So J can be ignored, i.e., J is Junk. □ 

Another remain of an emulation, which we can simply consider as junk, is the preparation of a test on a negative 
instantiated sum lock. 



Lemma 29. The preparation of a test on a negative instantiation of a sum lock is junk of [ • ] , i.e., 



VC ([•]) G 7r a > 7r a . Vm„ rm,up, y,y', I, k-, r, s, z 6 TV . VJ eP a . 

J = m 2 * (y\ lr, r) . ([ y' = y]r(l r , I, I, s, z) \ m— (y' , 1,., r)) A C (J) G (PJj . jm) 
A (3T G Pa • 3i c /V . C (0) = (T | 7 (J.))) 
implies C (J) «™ C (mj -» mi tUp ) 

and 

VC ([•]) G 7r a -s- 7r a . Vm„, m , U p,y,y', h Is, r, s,z 6 A/" . VJ G P a . 

J = m D * (y, l s , s,z) . ([ y' = y]r(l s , I, l s , s,z) \ m 0tUP (y', l s , s, z)) A C (J) G *P (PaT[ ■ ]») 
A (3T G Pa • 3i c TV . C (0) = [y x) (T 1 1 (_L))) 
implies C (J) w" 1 C (m -» m 0}Up ) 

Proof. First note that here not J but only [ j/' = t/ ] r {lr, I, I, s, z) and [ y' = y ) r (l s , I, l s , s, z) are considered as junk. 
If these terms are omitted then the respective J reduces to the forwarder m, -» m, tUp or m a -» m 0jUp . 

In the first case — regardless whether the receiver lock r belongs to an encoded input guarded term or an encoded 
replicated input — the output r (l g , I, l s , s, z) induces a test on the sum lock I. Since that lock is already instantiated 
by false we can revisit the argumentation of the proof of Lemma [57] to conclude that we can ignore this induced 
test. So we can also ignore the inducing output r (l s , I, l s , s, z). The remainig term m* (y' , l r , r) .mj. up (y 1 , l r , r) is 
equal to the forwarder -» mi_ up . 

For the second case, since there is a negative instantiation of I, the receiver lock r was not created by the 
encoding of a replicated input. So again the output r (l s , I, l s , s, z) induces a test on the sum lock I. The rest of that 
case is similar to the case before. □ 

Unfortunately, we can not declare any remains of emulations as junk, because we can not ignore the forwarding 
of left requests in the chains of right requests which is left over by former considered right requests. However, 
after extracting the junk, by Lemma [551 there is indeed nothing more left, than a simple forwarder, which can not 
influence the state of the process modulo w" 1 . That suffice to prove operational completeness. 



2.6 Semantical Criteria 

Among the semantical criteria operational correspondence is the most elaborate to prove. Therefore we show the 
both its conditions, operational completeness and operational soundness, separately. In order to show operational 
completeness, we have to show how source terms steps are emulated by the encodings. 

Lemma 30 (Operational Completeness). The encoding [ ■ ] a fulfils operational completeness. 

Proof. By Definition [9] it suffice to show that: 

VS, S' & V s ■ S i — > S' implies 3T G V a ■ [ S f a !=► T A T [ S' ]' 

The lemma then holds by induction over the number of steps in S l=> S' . To prove the condition above, we perform 
an induction over the proof tree that leads to the step S i — > S' . 

Base Case: By the rules in Figure [2] each step on S is based either on Rule TAU m , s , COM mjS , or Rep,„ !S . 

Case of Rule TAU niiS : In this case S is a single sum, of which one summand is guarded by r, and S' is the 
continuation of this r guarded summand, i.e., there are some finite index set /, some guards 7Tj, and some 
processes Pi G "P s such that S = X^ie/ 71 "*-^ with iXj — t for some j € I and S' = Pj. The corresponding 
encodings are given by the following terms: 

1st 
is' I 



(W) 7<T)| [] I *i-Pi la I test 1 then ' (-L) I [ Pj 11 else I (±) 



We observe that [ S } s a can emulate the step S i — > S' by reducing the test-statement in the encoding of the 
j's summand, i.e., by 



(vt) 



n 



.Pi] s a |I(±)|[Pi]! =T. 



Note that, since the test-statement and the implementation of booleans are no native n- terms but abbrevi- 
ations for 7r-constructs, this reduction indeed requires two steps. Moreover note, that we silently omit junk 
that results from the reduction of test-statements (compare to Lemma [23]) here and in the following proofs. 

Further, we observe that T = (vl) ^ [ T^i-Pi f a \ 7 (J-)^ \ I Pj T a , since, due to the renaming policy 

ip a , the name I is not free in [ Pj J*. So the emulation leaves over the term (y V) ^ [ 7rj.P, } a \ 7 ■ 

which is by Lemma [26] junk. By Lemma l22l we conclude that T =| [ 5" J a . 

Case of Rule COM miS : Here 5* is a parallel composition of two sums and S' is the parallel composition of the 
continuations of an input guarded summand of the first and a matching output guarded summand of the 
second sum, i.e., there are two finite index sets h, h, some guards -k^ and some processes Pi,Qi £E P s such 
that S = ^2 ieh Ki.Pi | J2iei 2 ^i-Qi with ir 3l = y(x) and itj 2 = y (z) for some ji € h, some j 2 S h, and 
x,y,z G N and S' — {%} Pj 1 \ Qj 2 - The encodings of S and S' are given by the following terms: 



[sx=(w)(i(T)i n i*i- p di 

| (v r) (r | r*.<pl (y) (I', s, <p s a (x)) .test I then test I' then 7(J_) | 7(1.) | s | [ P n \\ 

else 7 (T) \ 7(±)\r 
e\sel{T)\^M{l',s^l(x)})) 

\(yl)(l(T)\ I] l*i.Qill\ I *•[<&,]>)) 

lS't=U%}(Pn)l\lQn I 



To emulate the source term step S i — > S' first the receiver lock has to be reduced to enable a communication 
over ip s a (y). Then the test-statement and the sender lock are reduced to complete the emulation of the source 
term step. 



(Wi^^n i {V/} ( n i*i- p it) 



(vr) (test h then test h then (_L) | fc (-L) | ? | {^ (2) / V |(z)} (I ^ Fj 
else h (T) | fe(_L) | r 



else / x (J.) | ip a a (y){k,s,<pl(z)) 
r*.<pl (y) {I', s, ip s a {x)) .test k then test I' then h (JL) | I 7 (_L) | s | I P^ 

else IT (T) 7 7 (±) | r 
elsefe<±> ^(I'.syjs))) 



fc(T)|{ fe /;}( II l*i-QiZ\ -1^1, 



(uh,h,8)({ h /i}i n in-Pit) 



\(ur)(k(±)\k(±)\{^% lix) [ 

r*.(p a a (y) (I', s, ipl (x)) .test h then test I' then £ (_L) | T 7 (T) | s \ I P h 

else7~(T) \V(±)\r 




By Corollary ffl {^ (z) / V |(x)} I J a = Q [ {%} Ph ]'. To show that T =^ [ S" J™ we stepwise reduce T by 
ignoring junk. Since l\, fe, r, s ^ fn([ {%} P^ ]™) U fn(J Qj 2 J™), we can reorder the term according to the 
restrictions on h,h, r and the restriction on s can be omitted. The term 

(pr)(r*.y>l(y)(l',s,<pl(x)).testh then test /' then \ (_L) | F (_L) | s | I P h ] a 

else 7^ (T) \ V(±) | r 



elseJi(-L) | # «X (*)) ) 

is obviously junk, since it is closed and can not perform any step. Moreover, by Lemma 1261 the terms 
{v (iLe*,** I t*-P< Fa I I (-L)) and (», 1) (ilie*,^ I n-Qi t 1 1 (-L)) are junk. So, by Lemma G2 we 
conclude T = a \ S' f a . 

Case of Rule REP m s : Here 5 is a parallel composition of a replicated input and a sum and 5" is the parallel 
composition of the replicated input, the continuation of the replicated input, and the continuation of a 
matching output guarded summand, i.e., there is a finite index sets /, some guards 7Tj, and some processes 
P, Qi € V s such that S = y* (x) .P \ J2i£i n i-Qi with nj = y (z) for some j 6 I and x,y,z G A/", and 
5" = {%} P \ Qj \ V* i x ) P- The encodings of S and 5" are given by the following terms: 

[ S t = (y)* (I, s, < (*)) .test I then 7 (J.) | s | [ P ] s a else 7 (J.) 

|(W)I7<T)| [] [n.QiZ\(va)feM(l,sMz))\8.lQ j }] 

[s't=[{%}(p)ii\iQjii\iv* (*) pi: 

To emulate the source term step 5 i — s- S", first the two subprocesses of [ S ]* communicate over y?| (y). 
Then the test-statement and the sender lock are reduced to complete the emulation of the source term step. 

[S]"^(W,*)(testJthen7<_L) |l| {^ { % l{x) } (I P t) else 7 (T) 

| ^ a (y)* (I, s, ft (s)) .test I then 7 (J.) | « | [ P J' else I (_L) 
M(T)| 1] I Ti-Oi la I »• I Gila) 

^ 3 (,I, s )(l(l)lp)/ y5w }([p] B J 

I ipl (y)* (I, s, ipl (x)) .test I then 1{±) | S | [ P ] a else 7 (_L) 
I II Mit\lQit)= T 

By Corollary [U {^ (z) /<pi(x)} [ P l a =a I {%}P] a - To show that T = a [[ S" J" 1 we stepwise reduce T by 
ignoring junk. Since l,s £ fn([ {%} P ] a tl )Ufn([ Qj J™), we can reorder the term according to the restriction 

on I and the restriction on s can be omitted. By Lemma \26\ then (y I) (jj iel ^ [ TTj.Q-t ] a | 7 (-L)J is junk. 
Note that, by Lemma [T71 the relation =| includes structural congruence. Thus, by Lemma l2"2l we conclude 



Induction Hypothesis: Si i — > S[ implies 3Ti eP a . [ Si ]° l=>- Ti A Ti [ ]* 

Induction Step: We have to consider the remaining three rules Par, Res, and Cong of Figure [3J 

Case of Rule Par: Then S = Si \ S 2 for some Si,S 2 G V s , Si i — > S[, and S' = S[ \ S 2 . By the induction 
hypothesis there is some T\ G P a such that [[ Si ] a t=> Ti and Ti = a [ SJ Since the encoding of the 
parallel operator is rigid, i.e., [ S ] a = [ Si J a | [ 52 f a and [ 5" ] a = [ S[ ] a \ [ S 2 } a , we can apply rule 
Par to conclude from {Sif a t=>- T x to [Sj a l=> T x \ \ S 2 f a = T. By Definition ggl Ti S* [ S( ] a 
implies C(Ti) « a C (I f a ) for all contexts C ([•]) G V a -> P a such that C ([ J') £ Pal"[-F a - Since 
I la I I la e ^1 ■ F ' ^ ne quantification over C includes all contexts C such that C ([■]) = C ([•] | [ S 2 ] a ). 
Because of that, we have C' (Ti | [ S 2 J a ) »° C' ([ 5( ] a I I $? l a ) for all contexts C' ([•]) £ P a ^ P a such 
that C' (I ] a ) G Paf[ ■ ]». By Definitional we conclude T = a [ S' f a . 

Case of Rule Res: Then 5 = (vx)Si for some x G TV and some Si G P s , Si 1 — ► SJ, and S' = (i/x)S(. 
By the induction hypothesis there is some Ti G T& such that [ Si ] a t=>- Ti and Ti = a [ S( ] a . Since 
the encoding of restriction is rigid, i.e., [ S ] a = (f y> a (x)) [ Si ] a and [ S' ] a = (z/ <p a (x)) [ SJ ]*, we 
can apply rule Res to conclude from [ Si ] a t=^> Ti to [ S ] a l=> (z^ a (x))Ti = T. By Definition [H 
T i =1 I S[ la implies C (T x ) « s a C (I S[ J a ) for all contexts C ([•]) G P a -> Va, such that C ([ l a ) G 
Pat[-] s - Since ^ a (x)) [ ] a G P a t[-] s : the quantification over C includes all contexts C such that 
C ([•]) = C' ((vifl (x)) [■]). Because of that, we have C' (x))T x ) r£ C' ((i/<p| (x)) [ S[ f a ) for all con- 

texts C' ([•]) e P a ^ P a such that C' (I ] a ) G Pali . ]j- By Definition gSJ we conclude T = a [[ S' ] a . 

Case of Rule Cong: Then S = S x for some Si G P s , Si 1—> S[, and S( = S'. By LemmadOl the encoding [ ■ f a 
preserves structural congruence of source terms modulo = a . So S = Si and S[ = S' implies [S] a = a [Si] a 
and I S[ f a I S' f a . By Definition Hi for all contexts C ([•]) eP a ^P a such that C ([ ] a ) G Patj . ]• we 
have C ([ S ] a ) « a C ([ Si ] a ), i.e., especially [ S ] a « a [Si ] a . Thus, by Definition ^ for each sequence 
[[ S ] a l==> T there is a sequence [ Si ] a !=>■ Ti for some Ti G P a such that T « a Ti. The same holds for all 
Contexts C, i.e., since C ([ S ] a ) « a C ([ Si ] a ), for each sequence C ([ S J 8 ) t==> C (T) there is a sequence 
C ([ Si 11) C (Ti) for some Ti G P a such that C (T) « a C (T x ). So, by Definitional T ^ a Ti. By the 
induction hypothesis Ti =| [ SJ ] a . Since, by Lemma [T51 =| is an equivalence, T =| Ti, Ti =| [ SJ ] a , and 
I Si t =1 [ S' t implies T - a [ S' ] a . 

□ 

Lemma 31 (Operational Completeness). The encoding [ ■ J" 1 fulfils operational completeness. 

Proof. By Definition [S] it suffice to show that: 

VS, S' G P m . S .— ► S' implies 3TeV a . I S ]™ f=> TAT =™ 2 I S' j a 

The lemma then holds by induction over the number of steps in S l=>- S'. To prove the condition above, we perform 
an induction over the proof tree that leads to the step S 1 — > S' . 

Base Case: By the rules in Figure [2] each step on S is based either on Rule TAU m!S , CoM ro)S , or REP m!S . 

Case of Rule TAU mjS : In this case S is a single sum, of which one summand is guarded by r, and S' is the 
continuation of this r guarded summand, i.e., there are some finite index set /, some guards 7Tj, and some 
processes P, G P m such that S = Yliei ^i-Pi with ttj — r for some j G I and S' = Pj. The corresponding 
encodings are given by the following terms: 

[S]>(W)1(T>| J] [^PX|testZthen7<±)|[P,X else 7 (±) 



s'r = \ p, 



We observe that [ S ]™ can emulate the step S 1 — > S' by reducing the test-statement in the encoding of 
the j's summand, i.e., by 

[SX^ 2 (W)| H [Tr^ClI^UPfC] =T. 



We observe that T = (z/ 1) [J\ ieI ^ [ TTi-Pi J™ | / (-L)J | [ Pj ]™, since, due to the renaming policy the 
name I is not free in [ Pj ]™. So the term (y I) ^ [ i^i-Pi J" 1 | 7 (-L)^ is leftover, which is by Lemma 

EUljunk. By LemmaCH we conclude that T =™ 2 [ S' } a . 



Case of Rule COM miS : Here S is a parallel composition of two sums and S' is the parallel composition of the 
continuations of an input guarded summand of the first and a matching output guarded summand of the 
second sum, i.e., there are two finite index sets h, h, some guards 7Tj, and some processes Pi,Qi 6 P m such 

that S = J2ieh 1Ti - Pi I Si6/ 2 ^-Qi witri n h = v( x ) an d = V ( z ) for some h e h, some j 2 6 h, and 
i,i/,z£ A/", and S" = {%} P/j | Q^. Unfortunately the encodings of these terms are rather long: 



| S J a — (V 772 , ITLi , Po^up 1 Pi, up j Co ) TTlo.up ) ^i,up ) ( 

(^ , Pl )((^)(^T)i n i^-^c 

| (^r)(p-(^( y ),;,r) | r'(h,h,-8,<f£{x)). 

test ?! then test l 2 then (JL) | (J_) | s | [ P^ ]™ 
else 4 (T) | h{±) 
e\se~k{±})) 
| procLeftOutReq | procLeftlnReq) 

| ( V p 0iPi ) ( (i//) (T(T) | J] I n-Qi C I M (^(^a (v) . i,s,<ft (*)> I I Oa c 

procRightOutReq | procRightlnReq) 

| pushReq) 

$ J a — {y THo , , , ^ Pi, up ^ Co: Ci: ^o,up j , ) ( 

(fPcPi) (I {%}P/i C I procLeftOutReq | procLeftlnReq) 
| (vpo,Pi) ([ Qj 2 C I ProcRightOutReq | procRightlnReq) 
| pushReq) 



To emulate the source term step S i — >• 5", the endings of the two sums in S have to interact with the 
encoding of the parallel operator between them. At first the input and output register themselves to the 
encoding of the parallel operator by pushing requests. These requests are then combined and a test on the 
respective sum lockfH is induced by providing an output on the receiver lock. At least the test-statement is 
reduced to complete the emulation of the source term step. 



I ^ la ' ^ ^ ™° ' ' Po,up i Pi. up : Co : Ci: ^o,up > m>i,up j 4i > ^) ( 

iyPo,Pi) (T(T) | { la /i} f J] I^C] |r*(/i,fa,- 

y€/i,t#.7i j 

test ?i then test l 2 then li" (_L) | \ (_L) | s | [ P n ]™ else ^ (T) | h (-L) else k (_L) 
procLeftOutReq | procLeftlnReq | m~ (ip™ (y) ,l a ,r) | pi~^ (<p™ (y) , l a , r) ) 

\(v P o,Pi)(k(T)\{ k /i}l I] [TTi.QXj | S .[Q Ja C 

I (vm.up) ( m* (y, lr,r) • ([ y' = (y) ]r(k, 4, fe, s, I OA 4-, »")) 

| (v mi) (rrii^up -» | procRightOutReq)) 
Po,up (<p? (y),h,s, <f% (z)) | procRightlnReq) 

| pushReq) 



In order to avoid a deadlock caused by multiple simultaneous such tests on sum locks, the sum locks are ordered by 
ensuring that always the left one is checked first. 



' y {y TTl , 772 i j Po,up i Pi, up •> Co i Ci-} ^o,up j ^i,up •> ? T i ( 

test Zi then test Z 2 then h (±) \ k (±) \ s | [ P 3l ]™ else IT (T) | Zb (_L) else ^ (±) 
| procLeftOutReq | procLeftlnReq | p~ (cp™ (y) , l a , r) ) 

{vpoiPi) (4 co i { k /i} j n i^.q^c] | S .[Qi 2 c 

I (vm^ up ) (m* (y', l r ,r) . ([y' = ip™ (y) ]r(l r , l b , h,s,(p™ (z)) | m— (y' , l r , r)) 
| r (l a , h, k, s, ip™ (z)) | m— (tp™ (y) , l a , r) 
| (v mi) (nii^up -» rrii | procRightOutReq) ) 

I P^p~ (V™ (y) . 4, s, V™ 0)) I procRightlnReq) 

pushReq) 

I )• (z-' 777 , 771-2 j Po.up , Pi, up , Co , C-i, ^o.up , ^i.up , la, lb, T , ^ ) ( 

{vpo,Pi)({ u h} ( n i^ p ' c) it(j->it<-L)i {^wji^c 

| r*(« 1 ,/ 2 ,- ! s,^W)-testZ 1 then test l 2 then IT <±) | fe(_L) | s| [ I" 1 

else 77 (T) |fe(J_) 

else Zi (_L) 

procLeftOutReq | procLeftlnReq | p~~ (p™ (y) , l a , r) ) 

\{vpo,Pi){{ h /i} ( n i^c) u%x 

{vm^ up ) (m l * (y',l r ,r) . ([ y' = ^ (y) ] r (/ r , 4, Z 6 , s, 9?™ (z)) | m— (y' , Z r , r)) 

| m~ (<£™ (y) , la, r) | TTij) (77i liUp -» m l | procRightOutReq) ) 
Po,up (<p? (y) , k, s, <p™ (z)) | procRightlnReq) 
| pushReq) = T 

By Corollary ffl [ P n ]™ = a I {%} P h To show that T ££ a [ 5' J", we stepwise reduce 

T by ignoring junk. By Lemma 1251 we can ignore the requests pi, U p (y) ,L,r), mi. up {ip™ (y) ,l a ,r), and 
p . U p {ip™ (y) , lb, s, ip™ {z)). Next, by Lemma [251 we can ignore the term 

r* {k,l 2 ,-,s,p™(x)).testh then test Z 2 then h (±) \h(±) \s \ [ P h I" 1 else h (T) \h(±) 

else Zi (_L) . 

And, by Lemma [29l we can also ignore [ y' = p™ (y) ]r (l r , l b , k, s, p>™ (z)}, so 

™»* (y', lr, r) . ([y' = ip™ (y) }r(l r , l b , l b , s,ip™ (z)) \ m—(y', lr, r)) 

becomes rrii -» mi iUp . Note that this forwarder and the following forwarder mi. up -» rrii for an other instance 
of rrii may be necessary to emulate further source term steps, but, since they perform only invisible steps, 
they do not influence the state of T modulo =™ 2 m comparison to a fresh chain of right requests as in [ S' ]™. 
At least, since l a , l b , r,s £ fn([ Pj 1 ] m ) U fn([ P J2 J" 1 ), we can reorder the term according to the restrictions 
on l a , lb, v and the restriction on s can be omitted. By Lemma [27l then (y Z) ^IliG/i i^ji 1 7r *-^« 1™ I 

and (i/ Z) (llie/!,^ I n-Qi € I T <-L>) are junk. So, by LemmafU we conclude T [ S' 
Case of Rule REP m s : Here S is a parallel composition of a replicated input and a sum and 5" is the parallel 
composition of the replicated input, the continuation of the replicated input, and the continuation of a 



matching output guarded summand, i.e., there is a finite index sets /, some guards 7Tj, and some processes 
P,Qi G V m such that S = y* (x) .P \ ^ ie i^i-Qi with nj = y {z) for some j € I and x,y,z e A/", and 
S" = {%} P | | y* (x) .P. Unfortunately, the encodings of S and S' are again long: 

| $ l a = ) i Po,up ) Pi. up i Co i C-ii ^o,up : ^i,up ) ( 

(isp ,Pi) ( i, r, c r j , c r2 , r Q , n) ( 

r* (-, -, l a , s, (a;)) .test l s then ^ (_L) | s | c^T (ip™ (x)) else T s (_L) 
Pi{<P™(y) . n (v^ (y) , ^ r ) I * CO c^"(r„, r 4 ) 

I ^ri ((^ a (^)) 'C r g (^o: ^i) • iy m oi m i: Po,upj Pi. up: ^o.upj f*i,up> c o > m o .up j m i.up) ( 

pushReqln 

| {vp ,pi) ([P]™ | procRightOutReq | procRightlnReq) 
I {vr , n) (c^(r | n) | pushReqOut) )) 
| procLeftOutReq | procLeftlnReq) 

{"Po,Pi)( M (T(T) I J] I ^ C I ("») (P^ (») , I, S, <f% (*)> | 8. I Q, C) 

I procRightOutReq | procRightlnReq) 

pushReq) 

I $ 1 a ) i Po,up i Pi. up : Co : Cii ^o.up : ^i,up ) ( 

{y Po: Pi) ( [y m o> m i> Po.up: Pi, up: Co, Ci , TTlo,up: m i,up) ( 

(i/p ,Pi) (I {*/*} (P) C | procLeftOutReq | procLeftlnReq) 

(yp ,Pi) (IQj C | procRightOutReq | procRightlnReq) 

pushReq) 
| procLeftOutReq | procLeftlnReq) 
{vp ,Pi){ly* {x).P\™ | procRightOutReq | procRightlnReq) 
pushReq) 

To emulate the source term step S i — > S', the two subterms of [ S ]™ have to interact with the encoding 
of the parallel operator between them. At first the replicated input and the output register themselves to 
the encoding of the parallel operator by pushing requests. There the requests are combined and a test on 
the sum lock of the sender is induced by providing an output on the receiver lock. Next the test-statement 
is reduced. To complete the emulation of the source term step, at least the continuation of the replicated 
input encoding is unguarded and placed within an adoption of the parallel operator encoding. 

I ^ la ' ^ ^ m ° ' Po,up j Pi, up 7 C G , Ci , fTL O U p , Tfli U p , l a , l b: T, s) ( 

{vPo,Pi) ( {vc rU c r2 ,r , n) ( 

r* (-, -, l s , s, ip™ (x)) .test l s then T s <_L> | a | (<p™ (x)) else £ (-L) 
\ri(v™(y)X,r) | 4, CO | c^{r ,n) \ c rl * (tp™ (x)) .c r2 (r a , n) . 
{v vn 0l Tfi-i) Po.up-) Pi,upi To,up-, Ti.up-) Co-> &i •> ^o.upi ^pushReqln 
I {vp ,Pi){lP\™ I procRightOutReq | procRightlnReq) 
I (vr ,n) (c^(r | n) | pushReqOut))) 
| procLeftOutReq | procLeftlnReq | m (<p™ (y) ,l a ,r) \ pl~^ (tp™ (y) , l a , r) ) 

i(^ ,Pi)(fe<T>i{Vi}( n [^iC)i«-iOiC 

{vm.up) (m* {y', l r ,r) . ([ y' = (y) ] r (/ r , l b , l b ,s,<p™ (z)) \m—(y', l r , r)) 
| (vrrii) (TOj jUp ^> m 2 | procRightOutReq)) 
| Po,up (<p™(y),l b ,s,<p™(z)) | procRightlnReq) | pushReq) 



{y Vfl 0l TTlii Po.upi Pi.upi C-01 Gil m o,upi m i,upi fc.; 4>i ^ i 5 ) ( 

{vp»,Pi) ( {v c r i,c r2 ,r , n) ( 

r* (-, l s , s, if™ (x)) .test l s then T s (±)\l\c^ (*)) else 4 (-L) 
(y) - k, r) I / a (T) | Crt (r , n) | c rJ * O" 1 (or)) .c r2 (r , n) . 

{is Ul o , Po.up-, Pi.up-, ^o,upi Ti.up-) Co-, ^o,up-, ^i.up^} (pUShReqln 

I (^Po,P»)([-PC I procRightOutReq | procRightlnReq) 
n) {c r2 (r Q I n) I pushReqOut))) 
I procLeftOutReq | procLeftlnReq | p— {ip™ (y) , l a , r) ) 

I {vPo,Pi) (fe(T) I {V;} ( LI I^-OiC] l«-I^C 

I (vm.up) (m* {y' ,l r ,r) .{[y' = ip™ (y) ]r (lr,l b ,l b , s,ip™ (z)) \ m— (y' , l r , r)) 

I r (/ a , fe, fe, s, <£™ (z)) I (<p™ (y) , Z a , r) 

I {y rrii) {mi^ uv -» rrii | procRightOutReq)) 
I Po,up (<p™{y),l b ,s,<p™ (z)) I procRightlnReq) | pushReq) 

{y Tfl , ?7i^, Po.up 1 Pi, up 1 C-oi c ii m o,up 1 m i,up •> i 4> i T •> 5 ) ( 
{vPo,Pi)( (vC rl ,C r 2,r ,ri)(l b (±) \Cri{<f% 0)} 

| r* (-, -, 5, V7 (*)) -test Z s then 7J (-L) I « | <V7 (a;)) else 4 (_L) 
n(v™ (y) Ja,r) I 4 (T> I c^"(r ,r 4 ) | c ri * (p™ (x) ) . c r2 (r ,r 4 ). 
(v ni , tti^ j Po.up 1 Pi, up , ^o,up ; ^i, up 1 Co 1 Ci: ^o.up : ^i,up) (push Req I n 
I {vp a , pi) ([ P ]™ I procRightOutReq | procRightlnReq) 
I {vr ,ri)(~c^2~(r \ n) | pushReqOut))) 
I procLeftOutReq | procLeftlnReq | p ttUp (ip™ (y) , l a , r) ) 

\(yp ,Pi){{ h >/i\ I II I^OiC] H^ia 1 

I (vm.up) (m* (y', k, r) . {[y' = V™ (y) ]r{l r , l b , l b ,s,(p™ (z)) \m—{y', l r , r)) 

I ™v^p (<PT (y) Ja,r) I {v mi) (m ljUp ^> 777, 4 | procRightOutReq) ) 
I Po,up {<f£(v),k,s,<p?(z)) I procRightlnReq) | pushReq) 



' y {y Tn j nii , Po,up •> Pi, up ? c 5 Cj , n^o.up ? ffii.up •> ^ 4>5 ^) ( 
(vp ,Pi) ( c rJ , c r2 , r , n) ( 

T b (_L) I r* (-, -, t, s, ^ (x)) .test Z s then £ <-L) I s \ c^T (<p™ [x)) else 4 (±) 
\ri{<f£(y),la,r)\k{T) \ c rl * fo£ (x)) .c r2 (r , ri ) . 

(V ?7Z , ?7li , Po,up ? Pi. up 3 To, up 3 Ti,up ? Co 3 , Ttl ,up 3 Tfl>i,up ) (push Req I n 

I (^p , ([ P ]™ I procRightOutReq | procRightlnReq) 

I (vr ,ri)(c^(r | r 4 ) | pushReqOut)) 

J (// 77l D , 777^ j Po.up 1 Pi, up-, To,up-> Ti,upi Co j £fc j ^o,up j ^i,up ) (push Req I fl 

l(^p 0) ft)({^ (z) /^)}(I^C) 

I procRightOutReq | procRightlnReq) 

I (vr ,ri)(c^(r \ n) | pushReqOut))) 
I procLeftOutReq | procLeftlnReq | Pi, up (</?™ (y) i 4u r ) ) 

K^o,Pi)({Vi} ( n i^c) hojc 

I (ym^ uv ) {m* (y', l r , r) . ([ j/' = 92^ (y) ] r (/ r , Z b , ^s,^" 1 (z)) \m—{y', l r , r)) 

I m~ (<p™ (y) , k, r) | (1/ m*) (m IiUp -» mi | procRightOutReq) ) 
I Po,up ■ (<ft {y),h,s, <p™ (z)) I procRightlnReq) 
I pushReq) = T 

By CorollaryO] {^^/^(x)} [ P ]™ = Q [ {%} -P ]™- Unfortunately, this time it does not suffer to ignore 
junk to prove that T =™ 2 [ S' ]™, because in [ 5' ]™ there are two encoded parallel operators whereas in T 
there is only one. Nevertheless, we start reducing T by omitting junk. Since the sum lock l b is instantiated 
by false, by Lemma B5l the request p ,up (ip™ (y) , l b , s, 99™ (z)) is junk. Moreover, by Lemma 129} the term 

mi* (y', lr, r) . ([ y' = (p™ (y) }r(l r , l b , l b , s,ip™ (z)) \ m~ {y' , l r , r)) 

reduces to the forwarder rrii -» rrii_ up . Since l a , l b , r, s ^ fn([ {%} P ]™) U fn(J Qj ]™), we can reorder the 
term according to the restrictions on l a , 4, and r and the restriction on s can be omitted. By Lemma [27l 
then (u I) (jl ieIti7ij [ ni.Qi ]™ | 7 (±)) is junk. By Lemma[22 we deduce T T' , where T" is: 

= a 2 ^01 1 Po,upt Pi,upi C01 £%t TW'O.up-i ^i^up) ( 

(vp ,pi) ( (v I, r, c rJ , c r2 , r a , n) ( 

r* (-, -, l s , s, (p™ (x)) .test l s then I (±) | S \ c^T (a;)) else T s (±) 
\n{v™ (y),l,r)\l(T) 

I Crl (V^a (*^)) ' ^r2 iXoi ^i) • iy ^o 3 3 Po.up 3 Pi, up 3 To, up 3 Ti.up 3 ^-03 ^i) ^o.up 3 ^i,wp) ( 

pushReqln 

I (^Po,ft)([lP]a 1 I procRightOutReq | procRightlnReq) 

I (vr ,ri)(c^ (r Q \ n) \ pushReqOut)) 

I 77l j , Po.up f Pi, up 7 To, up j T*i,up •> Co-, &%i TTlo,up -, (push Req I fl 

I (i/j> OJ pi) ( [{*/x}PC I procRightOutReq | procRightlnReq) 
I {^r 07 ri)(cr^(r | r 8 ) | pushReqOut))) 
I procLeftOutReq | procLeftlnReq | pi, up (yj™ (y) ,l,r)) 
{vpoiPi) ( [ Qj C I procRightlnReq 

I mj,„ p ) (m, ^> mi,„ p | m I:Up (tp™ (y) ,l,r) \ (v mi) (m itUp -» m l | procRightOutReq)) ) 
I pushReq) = T' 



Analysing T" we observe that in comparison to [ S' ]™ the encoded subterms [ { z / x } P ]™> [ Qj } m , and the 
term representing [ y* (x) .P ]™ appear in the wrong order. However, since S' = S" = (y* (x) .P \ { z / x } P) \ 
Qj and =™ 2 , by Lemma I2T1 preserves structural congruence of source terms, we have [ S' ]™ =™ 2 I S" ]™> 
i.e., the order of these subterms does not matter. As in the case before, on the right side of the parallel 
operator encoding there are the two forwarders mi -» mi. up and mi. up -» m,i (for different instances of mi). 
Again they are necessary to emulate further source term steps on the continuation \Qj ] , but, since they 
perform only invisible steps, they do not influence the state of T" modulo =™ 2 . 

Moreover there is the request m^up (<p£ (y) ,l,r), to enable an emulation of a communication of Qj and 
y* (x) .P. Note that there is also the request pi lUp ((/?™ (y) , I, r) at the right side of the parallel operator 
encoding, but the request ~p[ (y) , I, r), which belongs to [ y* (x) .P J a , is missing. However, since by 
mi,up -» mi the request pi, up (<p£ (y) , I, r) is forwarded to ~fru (<p£ (y) , I, r) within a pure administrative 
step and since this configuration is equal to one application of procLeftlnReq on Pi (<p™ (y) , I, r), which is 
again a pure administrative step, these two requests in comparison to p~l (cp™ (y) , I, r) do not influence the 
state of T modulo =™ 2 . 

What remains as difference of T" and [ S" ]™ is the fact, that in T" the encoding of { z / x } P appears within a 
branch of the replicated input encoding whereas in [ S" J" 1 it appears as right branch of a parallel operator 
encoding, i.e., it remains to show that T" =™ 2 [ y* (x) .P \ {%} P ]™, where 

T" = (vl,r, c rU c r2 ,r ,ri) ( 

r* (-, -, l s , s, (p™ (x)) .test (, then T a (_L) | s \ c^T {tp™ {x)) else T s (_L) 
|T7<^(l/),/,r)|7<T> 

I c n* (vT (x)) .c r2 {r , n) . {vm Q , m,i, p ,up, Pi,u P , r , up , n, up , c , Cj, m . up , mi. up ) (pushReqln 
| {^Po, Pi) HP IT | procRightOutReq | procRightlnReq) 
| (y r ,r i )(cPi (r | r») | pushReqOut)) 

| {y 7Tl j TRi , Po,upi Pi. up i To, up j ^i.up j C , , TTlo.up j ^i,up ) (push ReC| I n 

I (vp ,Pi) (I {7*}^ C I procRightOutReq | procRightlnReq) 

I {vr ,ri)(-c^ {r Q \ n) \ pushReqOut))) 

First, note that the term 

(vpo.Pi) (I {7^}^lL n I procRightOutReq | procRightlnReq) 

exactly corresponds to the right branch of [ y* (x) .P \ {%} P ] a . If we compare pushReqln with procLeft- 
OutReq and procLeftlnReq, then we observe that the former includes exactly the same forwarders as the later 
but also some additional forwarders. The same holds for pushReqOut and pushReq. Note that the additional 
forwarders ensures that each requests of each branch of the replicated input encoding is forwarded to each 
next right branch, and so these additional forwarders are necessary in case there is more than one branch. 
Also note that the given forwarders guarantee that each pair of requests, such that one is an input and the 
other one an output request and both requests do not origin from the same sum, can be combined. Moreover, 
note that the only request from the left side, i.e., of the encoding of the replicated input, is transmitted to 
the right side, i.e., the only branch of the replicated input, by the request T[ (ip™ (y) , I, r) and pushReqln. 
So these forwarders do not distinguish T' and [ S" modulo =™ 2 . 

Since T" and [ y* (x) .P | {%} P ]™ do only differ by the forwarding of requests but nevertheless allow for 
the same combinations, we deduce that T" =™ 2 [ y* (x) .P \ { z / x } P\™- Thus, by Lemma [151 we conclude 

Induction Hypothesis: S x i— > S[ implies 3Tj eP s , [Si ]™ t==> T\ A T\ ^ n 2 \ S[ ]™ 
Induction Step: We have to consider the remaining three rules Par, Res, and Cong of Figure [2j 

Case of Rule Par: Then S = Si | S 2 for some Si, S 2 £ V m , Si i — > S[, and S' = S[ \ S 2 . By the induction 
hypothesis there is some Ti £ V a such that [ Si ]™ t==^ T\ and T\ =™ 2 [ S[ ]™. The corresponding encodings 



are given by the following terms: 



I ^ la — ^ ™° ' 1 P°,up 5 Pi, up j C c , Ci , Tfl ,up j TFli,up ) ( 

(vp 0l pi) ([ 5*1 ]™ | procLeftOutReq | procLeftlnReq) 

(vp 0l Pi) ([ S 2 ]™ | procRightOutReq | procRightlnReq) 
| pushReq) 

I S l a ; i Po.up j Pi, up ) , j ^Tlo,up : ^i^up^) ( 

(vp Q ,Pi) ([ SJ ]™ | procLeftOutReq | procLeftlnReq) 

(vp Q ,pi) ([ S 2 ]™ | procRightOutReq | procRightlnReq) 
| pushReq) 

Since \ Si ]™ t=> Ti and since [ Si ]™ is not guarded in [ S ]™, we can use the rules Par, Res, and Cong 
in the asynchronous calculus to show that: 

I ^ 1 a ' '* 5 ^i i Po,upi Pi, up ; Co > Ci j TTl U p , Tfli U p ) ^ 

(^p ,Pi)(Ti | procLeftOutReq | procLeftlnReq) 

| (vp ,pi) ([ S 2 ]™ | procRightOutReq | procRightlnReq) 

| pushReq) = T 

By Definitional T x =™ 2 I S[ }™ implies C (Ti) w£ 2 C ([ SJ J" 1 ) for all contexts C ([•]) e P s ^ P a such 
that C ([ J™) G Pafj . jm. Since [ | S 2 ]™ € 7-^1" [ . ]=>, the quantification over C includes all contexts C such 
that: 

^ ( ['] ) ^ ( 1 j Po.up 7 Pi, up ^ Co ) , TR Q U p , 1Tli U p ) ( 

(fPoiPi) (['] I procLeftOutReq | procLeftlnReq) 

I (vp ,pi) ([ S 2 J" 1 I procRightOutReq | procRightlnReq) 

I pushReq)) 

= C (c" ([■])) 

Because of that, we have C' (c" (Ti)) «^ 2 C' (V' (I S^ ]^)) for all contexts C' ([•]) £ ? a ^ P a such that 

C' ([ ]™) e PJi . i». By Definition [Ml we conclude T =™ 2 [ S' ]"\ 

Case of Rule Res: Then S = (vx)Si for some x E N and some £1 G Tin, Si 1 — > S(, and S' = (y x) S[. 
By the induction hypothesis there is some T\ £ P a such that [ Si ]™ t=4> Ti and Ti =™ 2 [ S[ J™. Since 
the encoding of restriction is rigid, i.e., [ 5 ]™ = (f<£>™ (x)) [ Si ]™ and [ S' J™ = (fi/?™ (a:)) [ Si ]™, we 
can apply rule Res to conclude from I Si J™ t=4> Ti to IS]" 1 {vtpl (x)) Ti = T. By Definition [Ml 
Ti =L n 2 I S( C im P lies C (Ti) «£ 2 C ([ S( C) for all contexts C ([•]) G V a -► P a such that C ([ ]™) G 
'P a ['[ ] m - Since <p™ (a;)) [ ]™ G 7-afj.jm, the quantification over C includes all contexts C such that 
C ([•]) 1 C' ((u<p? (a:)) [•]). Because of that' we have c' ((^- (a;)) Ti) «™ C' ((i/p? W) I S[ £) for all 
contexts C' ([•]) eV & ^V & such that C' (I ]") G . jm. By Definitional we conclude T ^™ 2 [ S" ]™. 

Case of Rule Cong: Then S = S\ for some Si G P m , 5i 1 — >■ SJ, and S[ = 5". By Lemma [2T1 the encod- 
ing [ • ]™ preserves structural congruence of source terms modulo =™ 2 . So S = Si and S[ = S' implies 
I $ C ="2 I -Si C and I S i I™ I S ' C" B y Definitional for all contexts C ([■]) eP a ^P a such that 
C([0 C)' G PJ[ . ,» we have C (fSp < 2 C ([ S 1 C), i.e., especially [ 5 ]» «™ 2 I ft ]"\ Thus, by 
Definition [26l for each sequence [ S t=> T there is a sequence [ Si ]™ t=> Ti for some Ti G Vn such 
that T «™ 2 Ti. The same holds for all Contexts C, i.e., since C ([ S ]™) ^ (I IT)' f° r eacn sequence 
C (I S l" 1 )^ C (T) there is a sequence C ([ Si ]") C (Ti) for some Ti G ^ such that C (T) w™ 2 C (Ti). 
So, by Definition [2i T =™ 2 Ti. By the induction hypothesis Ti =™ 2 I S[ }™. Since, by Lemma [13 =^ 2 is 
an equivalence, T -™ 2 Ti , Ti S» a [ S[ C and [ S( ^ S» 2 [ S' C 'implies T =- 2 [ S' J™. 

□ 

If we analyse the proofs of the Lemmata [3D] and [211 we observe that for each emulation there is exactly one 
core step, i.e., there is exactly one core step for each of the rules TAU mjS , COM miS , and REP m s and the emulation 



of the remaining rules do not introduce additional core steps. This underpins our intuition of core steps (compare 
to Section that any emulation of a source term step is connected to exactly one core step. Moreover, any core 
step marks exactly one emulation of a source term step by steering the emulation to the "point of no return", i.e., 
to a point, from where no other sequence of steps can disable the completion of that emulation and from where any 
possibility to emulate a conflicting source term step is ultimately withdrawn. 

Lemma 32. Any emulation of a source term step includes exactly one core step and any core step steers the 
emulation of a source term step to a point, from where it eventually has to be completed. 

Proof. If we analyse the reduction rules in FigureEJ we observe that the result of a source term step is the unguarding 
of one or two former guarded subterms. If we rely on this fact to mark the essence of a step, then an emulation 
is characterised by the unguarding of the respective encoded continuations. Analysing the encoding functions in 
Figure [3] and Figure 0] we observe that such encoded continuations are guarded either by a sender lock or a test- 
statement. Note that, as proved in [NesOO for [ • J s and by the Lemma fTTI and Lemma [T2l neither pure nor impure 
administrative steps can introduce deadlock. 

The reduction of a summand guarded by r is the only case of a reduction step that does not require the 
interaction of a receiver and a sender (compare to rule TAU mjS ). Both encodings introduce a sum lock to encode a 
sum and translate summands guarded by t into a single test-statement, that tests the corresponding sum lock and 
in case of success unguards the encoded continuation and provides a negative instantiation of the sum lock. Note 
that to emulate such a source term for both encodings only two steps are necessary to reduce the test-statement. 
The first consumes the instantiation of the sum lock. If this instantiation is positive we call that step a core step. 
Note that before this step, an emulation of a conflicting source term step may change the instantiation of the sum 
lock into a negative instantiation and thus withdraw the possibility to emulate the step. On the other side as soon 
as the positive instantiation of the sum lock is consumed, there is, by Lemma [9] and Lemma 1101 no possibility to 
prevent that the second step necessary to complete the emulation eventually happens. So, whenever such core step is 
performed, eventually the encoded continuation is unguarded. Moreover, the only way to instantiate the consumed 
sum lock is to complete the emulation, which leads to a negative instantiation of that sum lock. By Lemma [SJ there 
is no chance to unguard a positive instantiation of that sum lock afterwards. Note that any source term step, that 
is in conflict to the considered step on the t guarded summand, have to reduce another summand of the same sum. 
Remember that, by Lemma [26l and [27l encoded summands connected to a negative instantiation of a sum lock are 
junk. So the consumption of the positive instantiation of the sum lock immediately rules out any emulation of a 
conflicting source term step. Moreover, since there is no possibility to reach a positive instantiation of that sum lock 
again, there is no possibility to emulate this source term step twice and any translated observable connected to this 
sum lock, i.e., to this sum, is immediately withdrawn by the consumption of the positive instantiation. Because of 
that, for any emulation of a source term step based on rule TAU m)S there is exactly one core step and for any such 
core step exactly one source term step is emulated. 

In case of rule COM mjS the source term step is on an interaction of an input guarded and an output guarded 
summand. The encoding of the continuation of the receiver is guarded by the second of a nested test-statement, 
while the encoded continuation of the sender is guarded by a sender lock, which in turn is guarded by the nested 
test-statement. In ExampleQ]we explain that reducing the first test-statement does not ensure, that the emulation 
can be completed. However, as soon as the positive instantiation of the second sum lock is consumed we can repeat 
the argumentation of the case above to show that the point of no return of that emulation is reached. We observe 
that the consumption of the second positive sum lock instantiation is indeed the only core step necessary to emulate 
this source term step. It immediately withdraw any possibility to complete the emulation of a conflicting source term 
step, because it ensures that both consumed positive instantiations of sum lock are never restored. With that it also 
immediately withdraws all translated observables on the summands of these to sums. Moreover, by Lemma [9] and 
Lemma [TOl the encoded continuations of the respective sender and receiver have eventually to become unguarded. 
Thus again for any emulation of a source term step based on rule COM mjS there is exactly one core step and for any 
such core step exactly one source term step is emulated. 

In case of rule R,EP mjS the source term step is on an interaction of a replicated input and an output guarded 
summand. The encoding of the continuation of the receiver is guarded by a single test-statement, while the encoded 
continuation of the sender is guarded by a sender lock, which in turn is guarded by the single test-statement. As soon 
as the positive instantiation of the second sum lock is consumed we can repeat the argumentation of the first case to 
show that the point of no return of that emulation is reached. We observe that the consumption of the positive sum 
lock instantiation is indeed the only core step necessary to emulate this source term step. It immediately withdraw 
any possibility to complete the emulation of a conflicting source term step, because it ensures that the consumed 
positive instantiation of the sum lock is never restored. With that it also immediately withdraws all translated 



observables on the summands of that sum. Moreover, by Lemma |H] and Lemma 1101 the encoded continuations of 
the respective sender and receiver have eventually to become unguarded. Thus again for any emulation of a source 
term step based on rule REP m s there is exactly one core step and for any such core step exactly one source term 
step is emulated. □ 

Based on this Lemma we prove operational soundness, by showing that each target term is part of an emulation 
of some source term step. 

Lemma 33 (Operational Soundness). The encodings [ • ] and [ • ]™ fulfil operational soundness. 

Proof. We start with [ • J . By Definition HI we have to show that: 

VS G V s . VT G V a . IS f a ^=> T implies 3S" G V$ . 3T' E P a . S t=> S' AT t=> T' A T' \ S' f a 

Note that T is a target term, i.e., T G "Pafj . j« . By Lemma [T8l pure administrative steps do not influence the state 
of a target term modulo =|, i.e., VT, T' G V^i . y ■ Tt=^=>T' implies T =\ T' . Because of that, it suffice to consider 
impure administrative and core steps, i.e., steps on translated source term names or sum locks. Moreover note, that 
steps on negative instantiations of sum locks reduce the corresponding test-statements to simple forwarders, that 
immediately restore the information consumed to resolve this test-statement. Thus impure administrative steps on 
negative instantiations of sum locks do not change the state of a target term modulo 

By Lemma [32l core steps indicate the border between the encoding of one source term and the encoding of its 
reduction. While, pure administrative steps do not influence the state of a source term modulo =|, the core steps 
do. Core steps finally rule out each way to reach one of the consumed translated observables and all translated 
observables connected to the same sums. With that, they also rule out each emulation of conflicting source term steps 
and accordingly the reachability of the corresponding translated observables and occurrences of /. On the other 
hand, since all post-processing steps of all emulations are pure administrative steps, they ensure that eventually 
the respective encoded continuations are unguarded. Because of that immediately after the core step all translated 
observables and all reachable occurrences of / of the encoded continuations are reachable. Because of that, source 
term steps and their emulations handle source term observables and their translated observables in exactly the same 
way, i.e., they remove old and unguard new in the same way. So, if we consider only pure administrative steps and 
a single core step, i.e., the sequence [ S } a a \=^>T i — > T'\=t>T" for a source term S G V s , then each target term 
in the sequence [ S ] a t=f=>T, including T, is congruent to [ S J a modulo =| and each target term in the sequence 
T 1 |==>T", including T', is congruent to T" modulo =|. By Lemma I3"2l the step T ^> T" marks the emulation of 
a source term step. Thus, S must be able to perform a step, i.e., 3S' G V s such that S i — > S', and the sequence 
I S 11 \=> T i — > T' \=> T" emulates this step by unguarding the encodings of the subterms of S' and removing the 
translated observables that refer to the observables removed from S during the step to S'. Moreover, note that, 
since all post-processing steps are pure administrative steps, it is always possible to complete the emulation after 
the core step. Thus 3T'" G V a such that T'" is the result of the completion of the emulation of S i — > S', i.e., 
T't=>T"' and T'" [ S' ]'. 

Unfortunately, impure administrative steps complicate the situation. As described in Example [T] they can already 
rule out some emulations on conflicting source term steps by disabling the reachability of some translated observables 
(e.g. by consuming their respective positive instantiations of sum locks). If they rule out all emulations on conflicting 
source term steps, then they behave like core steps and we are back to the situation descripted above. But, if they 
only rule out some emulations on conflicting source term steps, we result in what we denote as intermediate state 
(compare to Definition [23]) . Intermediate states are in general not congruent to any of the surrounding encoded 
source terms modulo =|; neither to the encoded source term there we start our emulation attempt nor to any 
encoding of the possible reductions. Note that the Definition [S] of operational soundness explicitly allows for the 
presence of such intermediate states as long as we can ensure, that from each intermediate state a state, that 
is congruent modulo =| to an encoded source term, is reachable. So let us have a closer look on these impure 
administrative steps. By Definition 1241 impure administrative steps are steps on translated source term names or 
on sum locks. They prepare an emulation by unguarding and/or partially reducing a test-statement. Since for all 
sum locks eventually an instantiation is restored, each of these test-stements is eventually resolved (compare to the 
proof in NcsOO] that the encoding [ • ] does not introduce deadlock). 

So let us consider a sequence [ S J s \=>T ^> T'\==^T". If the core step T ^> T' rules out any emulation 
attempt except for the one it steers to the point of no return, then we can use the same argumentation as in the 
case without impure administrative steps to show that 35" G V s and 3T'" G V a such that S i — > S", T't=^T'", i.e., 
T !=► T'", and T" 1 [ S> f a . 



However, by performing several impure administrative steps in [ S ] a t=4> T, several emulations can be started by 
unguarding and/or partially reducing test-statements before a single of them is resolved. In this case, the resolution 
of one of these test-statements may not directly lead to a term congruent modulo =| to an encoded source term. 
This can happen, if the source term can perform several sets of conflicting steps, i.e., there are at least two non 
conflicting but parallel steps and for each of these steps there can be some conflicting alternatives. To reach again 
a term, that is congruent modulo =| to an encoded source term, T has to finally decide on which of the started 
emulations are completed and rule out all conflicting emulations. Note that, therefore in general it is not necessary 
to resolve all unguarded or partially reduced test-statements. However, since the [ • F does not introduce deadlock, 
all unguarded and partially reduced test-statements in T can be resolved, which definitely completes some of the 
started emulations by core steps and rules out the completion of any remaining started emulation^. Thus 3T' G V a 
such that T 1 is the target term that is reached after all unguarded or started test-statements of T are resolved and all 
necessary post-processing steps to complete the respective emulations are performed, i.e., T t=> T". Then for each 
core step in the sequence T l=> T 1 there is one source term step of S or a reduction of S. Note that in [ S F t==S> T 
several emulations are started, but, since there are no core steps, none of these emulations is completed. So S must 
be able to perform all source term step, that correspond to an emulation completed in T l=> T", in parallel. Because 
of that, we can split up S into n parallel subterms Si, . . . , S n , where n is the number of emulations completed in 
T t=> T' . Then we can prove the lemma for the subterms using the cases above, i.e., we have [ Si ] a l==>-Tj implies 
3SI G V s and 3T( G V a such that Si i — > S' t , Ti t=> and T( ^ a [ S^ J*. Since S can perform all these source term 
steps in parallel, it can also perform them arbitrarily ordered in a sequence, i.e., 3S' G V s such that S !=>■ S' and 
S' is structural congruent to the parallel composition of the reductions S[, . . . , S' n . Then we use an argumentation 
similar to the case of the Par rule in the proof of Lemma [30] to conclude that 3T' G V a such that T t=> T" and 
% =1 I S[ il for all i with 1 < i < n implies T' { S' f a . 

Finally, let us consider an arbitrary sequence [ S ] a t=> T, which may even include core steps. Note that, in 
opposite two the cases before, this sequence covers the case there already some emulations are completed while for 
other emulations — possibly of parallel source term steps — up to now only test-statements are unguarded and/or 
partially reduced. However, revisiting the argumentation of the case before, 3T' G V a such that T l=> T 1 and T 1 is 
the result from resolving all unguarded and partially reduced test-statements in T and performing all post-precessing 
steps necessary to complete all emulations in [ S ] t=> T t=> T", that are already driven beyond their point of no 
return by the respective core step. By concentrating again only on the impure administrative and core steps — and 
ignoring impure administrative steps that do not lead to a completed emulation in [ S ] a t=> T" — we can split up 
this sequence into subsequences of subsequent bundles of completed emulations, such that each such bundle can 
not be further subdivided into such bundles. Then, if necessary, we split up these bundles into the parallel branches 
of the corresponding source terms as in the case before. Repeating this, we result in a tree of completed emulation 
of subsequently and parallel source term steps, where for each parallel source term step there is a branch in the 
respective subtree. Now each line between a parent and its direct child node within this tree represents one of the 
above considered cases. So we can conclude the proof by an induction over this tree. Thus, 3S' G V s such that 
S^S> and T =| \ S' f a . 

The argumentation for [ • ]™ is similar to the argumentation for [ • F above. Of course, the Lemmata IT51 and [501 
have to be replaced in the argumentation by [19] and [31] respectively. Moreover note, that the combination of the 
Lemmata [TT] [T2] and [32] proves that [ • J™ does not introduce deadlock. Finally, in [ • ]™ there are no steps on 
translated source term names, so there are less impure administrative steps. □ 

Lemma 34 (Divergence Reflection). The encoding [ • ] a reflects divergence. 

Proof. By Lemma I3"2l emulations and core steps corresponds. Because of that, an infinite sequence [ S ] a i — > u with 
infinite many core steps implies that infinitely many source term steps are emulated, i.e., that S i — > u . Because 
of that, it suffice to show that each sequence T\==>T' on target terms T,T' G P a \i . y between two core steps is 
finite. The argumentation for the sequence of administrative steps [ S ] a t==>T' before the first core step and for 
the sequence of administrative steps after the last core step — in case of a terminating process — is then similar. 



Note that the completion of emulations, that are up to now only started by performing some pure administrative steps, 
possibly might not be ruled out by resolving these test-statements. However, since pure administrative steps do not 
influence the state of a target term modulo =|, such emulations can be ignored. 



A look at the definition of the corresponding renaming policy in Figure [3] suggests the following case splilQ on 
the links of the steps in Tt===>T'. 

Case of s: The name s is used by the encoding function to denote sender locks. By Definition |T7l sender locks 
are channels of multiplicity one, that are used as input but not as replicated input channels and within the 
continuation of such an input there is no unguarded and unrestricted instantiation of a sum lock. Their purpose 
is to guard the encoded continuations within the encoding of output guarded source terms. Since we consider 
only terms with finite representation, there are only finitely many unguarded instantiations on sender locks in T. 
Analysing the encoding function in Figure 2] we observe, that new instantiations on sender locks appear only in 
the then-case of the (nested) test-statement in the encoding of input guarded source terms and in the encoding 
of a replicated input. Because of that, new instantiations on sender locks can be unguarded only by a core step 
followed by a pure administrative step to reduce the test-statement to the then-case. Some of these core steps 
may have happened before T, but of course only finitely many. So within the sequence T t===> T" only finitely 
many new instantiations on sender locks can be unguarded. We conclude that within the sequence T\==$-T' 
there are only finitely many steps on sender locks. 

Note that the encoded continuation of input guarded source terms or a replicated input appears in parallel to 
such an instantiation of a sender lock within the then-case of a (nested) test-statement. Because of that, within 
the sequence Tl=4>T' only finitely many encoded source terms, i.e., continuations, can be unguarded. 

Case of Outputs on Translated Source Term Names: Since we consider only terms with finite representa- 
tions, there are only finitely many unguarded outputs on translated source term names in T. Analysing the 
encoding function in Figure [3] we observer that there are only two ways to unguard a new output on a translated 
source term name. First, they can be unguarded by unguarding an encoded source term as continuation of an 
emulation. By the case before, within the sequence T\==>T' only finitely many encoded source terms can be 
unguarded, so there can only finitely many new outputs on translated source term names can be unguarded 
that way. Second, in the else-case of the first test-statement in the encoding of an input guarded source term 
there is such an unguarded output. To unguard this test-statement an instantiation of a receiver lock is con- 
sumed, but no new is unguarded by the else-case of the first test-statement. Analysing the encoding function we 
observer that all receiver locks are generated under restriction and initially there is exactly one instantiation of 
each receiver lock. Moreover, receiver locks are never transmitted over these restriction and to unguard a new 
instantiation (in the else-case of the second test-statement) a former instantiation of that receiver lock has to 
be consumed. Because of that, in each target term there is at most one instantiation of each receiver lock. Thus, 
reducing the nested test-statement to the else-case of the first test-statements, prevents any further unguarding 
of this test-statement. Since in T there are only finitely many different guarded or unguarded replicated inputs 
on receiver locks guarding such a nested test-statement, it is not possible to unguard initially many new outputs 
on translated source term names that way. We conclude that within the sequence T l=> T" only finitely many 
outputs on translated source term names can be unguarded. 

Case of r: The name r is used by [ • J s a to introduce receiver locks. Since we consider only terms with finite 
representations, there are only finitely many unguarded instantiations on receiver locks in T. Analysing the 
encoding in Figure [3] we observer that there are only two ways to unguard new instantiations on receiver locks. 
First, they can be unguarded by unguarding an encoded source term as continuation of an emulation. By the 
first case, within the sequence T t=> T" only finitely many encoded source terms can be unguarded, so there can 
only finitely many new instantiations on receiver locks be unguarded that way. Second, in the else-case of the 
second test-statement in the encoding of an input guarded source term there is such an unguarded instantiation 
on a receiver lock. However, to unguard such a nested test-statement an output on a translated source term name 
has to be consumed. Since by the case before there are only finitely many such outputs, there is no possibility to 
unguard infinity many instantiations on receiver lock this way. We conclude that within the sequence T l===> T" 
there are only finitely many steps on receiver locks. 

Note that in T there are only finitely many unguarded test-statements and new test-statements can only be 
unguarded by unguarding an encoded source term or by a step on a receiver lock. Thus, since by the first 
two cases only finitely many encoded source terms can be unguarded and by the current case there are only 
finitely many steps on receiver locks, within the sequence Tt==>X" only finitely many new test-statements can 
be unguarded. 

7 Note that in most cases the considered names are restricted, so a simple alpha conversion may change them. Because of 
that, as already in the proof of Lemma [9] the use of concrete names in the following case split should not imply that we 
consider steps on these specific names. Instead the names refer to the meaning which is related to them by the encoding 
function. 



Case of Inputs on Translated Source Term Names: Since we consider only terms with finite representations, 
there are only finitely many unguarded inputs on translated source term names in T. New inputs on source 
terms names can only be unguarded by a step on a receiver lock. Since by the case before the number of steps 
on receiver locks is finite, within the sequence T \=> T' only finitely many inputs on translated source term 
names can be unguarded. Moreover, since by the second case the number of outputs on translated source term 
names is finite as well, there are only finitely many steps on translated source term names within the sequence 
T\=>T'. 

Case of I, V: Both names are used by the encoding function to refer to sum locks. The only steps on sum locks 
are to reduce a test-statement. Note that in case of a nested test-statement two sum locks are reduced, i.e., 
there are two steps on sum locks. However, since by the third case there are only finitely many test-statements, 
within the sequence Tl==>-T" there are only finitely many steps on sum locks. 

Case of t, f: t and / are used by the encoding function to implement booleans. As in the case of sum locks, all steps 
on these names are used to reduce a test-statement. So again, since there are only finitely many test-statements, 
within the sequence Tt==>T' there are only finitely many steps on t and /. 

□ 

Lemma 35 (Divergence Reflection). The encoding [ • ]™ reflects divergence. 

Proof. By Lemma [321 emulations and core steps corresponds. Because of that, an infinite sequence of target term 
steps [ S J" 1 i — > u with infinite many core steps implies that infinitely many source term steps are emulated, i.e., 
that S i — Because of that, it suffice to show that each sequence T t=> T' on target terms T, T' £ TVj . j- between 
two core steps is finite. The argumentation for the sequence of administrative steps I S ]™ \==>T' before the first 
core step and for the sequence of administrative steps after the last core step — in case of a terminating process — is 
then similar. 

Since source term names are translated into values, never used as links, it suffice to consider steps on names 
introduced by the encoding function. A look at the definition of the corresponding renaming policy in Figure 2] 
suggests the following case split! on the links of the steps in Tl==>T'. 

Case of s: The name s is used by the encoding function to denote sender locks. By Definition [17\ sender locks 
are carried as third value of output requests. Their purpose is to guard the encoded continuations within the 
encoding of output guarded source terms. Since we consider only terms with finite representation, there are 
only finitely many unguarded instantiations on sender locks in T. Analysing the encoding function in Figure [4] 
we observe, that new instantiations on sender locks appear only in the then-case of the (nested) test-statement 
in the encoding of input guarded source terms and in the encoding of a replicated input. Because of that, new 
instantiations on sender locks can be unguarded only by a core step followed by a pure administrative step to 
reduce the test-statement to the then-case. Some of these core steps may have happened before T, but of course 
only finitely many. So within the sequence T t=> T' only finitely many new instantiations on sender locks can be 
unguarded. We conclude that within the sequence T\=>T' there are only finitely many steps on sender locks. 
Note that the encoded continuation of input guarded source terms appears in parallel to such an instantiation of 
a sender lock within the then-case of a nested test-statement. Because of that, within the sequence T t=> T' only 
finitely many encoded continuations of encodings of input or output guarded source terms can be unguarded. 

Case of c r i , c r 2 : These two names are used to link the encoded continuations of several reductions of the same 
replicated input within a chain. Note that the first name denotes a chain lock carrying a translated source term 
name (compare to Definition I20[) . Again, since we consider only terms with finite representations, there are 
only finitely many instances, i.e., outputs, on these names. For each step on the chain lock a new output on 
an instance of c r g is unguarded. So the number of steps on instances of c r 2 is bounded by the number of steps 
on chain lock carrying a translated source term name. New instantiations of such chain locks are unguarded as 
instantiations of sender locks only in the then-case of the test-statement in the encoding of a replicated input. 
Because of that, new instantiations on such chain locks can be unguarded only by a core step followed by a pure 
administrative step to reduce the test-statement to the then-case. Some of these core steps may have happened 
before T, but of course only finitely many. So within the sequence T !==>■ T' only finitely many new instantiations 
on such chain locks can be unguarded. We conclude that within the sequence T l==> T' there are only finitely 
many steps on such chain locks and instances of c r g . 

8 Note that in most cases the considered names are restricted, so a simple alpha conversion may change them. Because of 
that, as already in the proof of Lemma [TOl the use of concrete names in the following case split should not imply that we 
consider steps on these specific names. Instead the names refer to the meaning which is related to them by the encoding 
function. 



Because of that, within the sequence T t=> T' only finitely many encoded continuations of encodings of replicated 
inputs can be unguarded. 

Case of p ,Pi,Po,up,Pi,up, m , m t , m . up , rm,up, n, r a , r, l1ip , r . up : All these names are request channels, i.e., there 
are introduced by [ • ]™ to transport requests. Since we consider only terms with finite representations, there 
are only finitely many unguarded requests in T. Moreover, by the two cases above, only finitely new requests can 
be unguarded within the sequence T\=$-T' by unguarding source term encodings. Thus there are only finitely 
many different unguarded requests within the sequence T\==$-T'. We have already argued that the encoding 
[ • ]™ puts much effort in restricting the way a request may take. We underpin this fact here, by proving that 
these ways do not include cycles. Note that inputs on requests channels do only appear within the encoding of 
the parallel operator or a replicated input (compare to Figure [4]). 

Let us consider the encoding of a parallel operator first. The terms procLeftOutReq and procLeftlnReq transmit 
all requests of the left side of a parallel operator encoding to the right side and upwards over the restriction 
on the request channels. In procRightOutReq and procRightlnReq the requests of the right side of the parallel 
operator encoding are linked in two chains, one for input and one for output requests. Therefore the requests 
of the right side are consumed, but a single copy of them is pushed upwards over the restriction on the request 
channels again. Then all left requests can be received by the respective first member of the chain of requests of 
opposite kind to the left request. Within these first members all left requests are consumed to combine them 
with the respective request behind this member and a copy of this left requests is further pushed along the chain. 
Now each member of that chain subsequently receives the left requests from its predecessor and sends a copy 
to its successor. Since the chains have no cycles and can not be infinitely long, each left request is only finitely 
often transmitted within each of these chains. In pushReqfor each left and right requests, that was pushed over 
the restriction on request channels at the left and right side of a parallel operator, a single copy either under the 
restriction of a surrounding parallel operator encoding or on free source term names is generated. Note that the 
requests on free source term names can never be consumed. Moreover, for each parallel operator encoding there 
is a parallel operator in the corresponding source term. Thus the parallel operator encodings cause the structure 
of a finite binary tree, i.e., there are only finitely many instances of the terms procLeftOutReq, procLeftlnReq, 
procRightOutReq, procRightlnReq, and pushReq. Note that because of the two first cases only finitely many new 
encodings of parallel operators can be unguarded. Because of that and since a tree is free of cycles, within 
the sequence Tl=>-T" there are only finitely many steps on requests, that arc induced by a parallel operator 
encoding. 

In the last case we prove, that only within T !==>■ T' only finitely many encoded continuations of encodings of 
replicated inputs can be unguarded. Because of that, there are only finitely many instances of encodedContinu- 
ations. Within each of these instances all requests originate from the respective replicated input or a more left 
instance of encodedContinuationsof the same replicated input encoding are copied twice by pushReqln; one copy 
is generated under a restriction of this instance of encodedContinuations to be combined with the requests within 
this branch and one copy is prepared to be transmitted to the respective next right branch of that encoded 
replicated input. All these first copies are proceed by procRightOutReq and procRightlnReq as a request of the 
left side of a parallel operator encoding, while each requests of the respective encoded continuation is proceed 
by these terms as a right request. For each such right request in pushReqOuta single copy is generated and 
the restriction of the surrounding parallel operator encoding. Moreover for each such left and each such right 
request a single copy is generated under the binding of the encodedContinuations, that is the next one in the 
chain. Since again there are no cycles, there are only finitely many steps on requests, that are induced by a 
encodedContinuations. We conclude, that within the sequence Tf==>-T" there are only finitely many steps on 
requests. 

Case of c , Ci m . These names implement chain locks carrying a request channel. They are used to allow for a new 
request at the right side of a parallel operator encoding to be linked in the corresponding chain. By the third 
case there are only finitely many such right requests and chains, so within the sequence T\=$-T' there are only 
finitely many steps on such chain locks. 

Case of r: The name r is used by [ ■ ]™ to introduce receiver locks. Since we consider only terms with finite 
representations, there are only finitely many unguarded instantiations on receiver locks in T. Anything the 
encoding in Figure [4] we observer that new instantiations on receiver locks are only unguarded due to a a 
matching pair of requests. By the third case, there are only finitely many different requests and steps on request 
channels within the sequence Tt==>T'. Moreover we observe that no request is ever combined with itself and 
no pair is combined twice. Because of that, within the sequence Tl=4> T" only finitely many new instantiations 
on receiver locks can be unguarded, i.e., there are only finitely many steps on receiver locks. 
Note that in T there are only finitely many unguarded test-statements and new test-statements can only be 
unguarded by unguarding an encoded source term or by a step on a receiver lock. Thus, since by the first 



two cases only finitely many encoded source terms can be unguarded and by the current case there are only 
finitely many steps on receiver locks, within the sequence T t=>- X" only finitely many new test-statements can 
be unguarded. 

Case of I, l s , h, h- All these names are used by the encoding function to refer to sum locks. The only steps 
on sum locks are to reduce a test-statement. Note that in case of a nested test-statement two sum locks are 
reduced, i.e., there are two steps on sum locks. However, since by the case before there are only finitely many 
test-statements, within the sequence T t==> T' there are only finitely many steps on sum locks. 

Case of i, /: t and / are used by the encoding function to implement booleans. As in the case of sum locks, all steps 
on these names are used to reduce a test-statement. So again, since there are only finitely many test-statements, 
within the sequence T\=>T' there are only finitely many steps on t and /. 

Case of y, y', z: These names are used by the encoding function as values only, but never as links. So there are no 
(administrative) steps on these names. 

□ 

Lemma 36 (Success Sensitiveness). The encodings [ • ] and [ • ] are success sensitive. 

Proof. We start with [ • By Definition [TJ we have to show that VS £ V s . S JJ-/ iff [ S f a J|/. Let S € V s be an 
arbitrary source term. We prove both directions separately. 

Case of S JJ./ implies [ S f JJ-/: By Definition [TTJ S JJ./ implies that there are some S' , S" G V$ such that S t=^ S' 
and S' = S" | /. By operational completeness (Lemma [50)1 . the sequence S t=> 5" can be emulated by [ S } a , 
i.e., there exists some T 6 VJt\ . ]| such that [5f a ^T and T=\\S' ]'. By Figure^ [ S" | /]' = [ S" f a | /. 
Thus \S" | JJv Since by Lemma [201 the encoding [ • F preserves structural congruence of source terms 
modulo =|, S' = S"\/ implies [ S' f a [ S" | /]*. By Definition Hi then for all contexts C ([•]) e T & -> T & 
such that C([0 ft) E Pati . n we have C ([ 5" fj C ([ 5" | /]*). Then, by the first condition of Definition 
M C ([ S' ]") 4/ iff C (I 5"! /]^) for all such contexts C. Thus I S" \ /]' ^ implies I 5' ]* ^. By the 
same argumentation we conclude that [ 5" ]^ JJ-/ implies T JJv. Since [ 5 J B t=> T, we conclude [ S J B JJ./. 

Case of [ i9 J* JJ-^ implies 5* JJv: By Definition ITU [ S 1 ]* JJ./ implies that either there is an unguarded occurrence 
of /in [ S f a or there are some T, T" e V & such that [ S f a T and T = T" \ S. In the first case, since the only 
way to obtain an occurrence of success in a target term is by [ /J s a = /, we conclude that there is an unguarded 
occurrence of success in [ S ] . In the other case, by operational soundness (Lemma I33[) . then there are some 
5' € V s and V € V a such that S t=> S', T t=> T, and T' ^| J S" Since T JJ./ and / can not be reduced, we 
have T" JJ-/. By Definition [Ml T' ^| I S" ]^ implies C (T") «^ C ([ S" ]*) for all contexts C ([•]) such 
that C ([ ]^) € Pafi . • By the first condition of Definition^ C (T) JJ,/ iff C (I 5' ]^) JJ-/ for all such contexts 
C. Thus T" JJ-/ implies [ S' } a JJ-/. Moreover, since T" includes an unguarded occurrence of success and since all 
occurrences of / in target terms are due to the encoding [ /]® = /, the sequence [ S J a \=> T' emulates a 
sequence S t=^> S' of target terms unguarding an occurrence of So S' has an unguarded occurrence of i.e., 
S' JJ-/. We conclude S JJ-/. 

The argumentation in case of [ • ]°* is similar to the argumentation of [ • J s above. For the first case note that, by 
Figure |H the parallel operator is not translated rigidly but since [ /]" = / and the encodings of the parameters 
of a parallel operator appear unguarded within the encoding of the parallel operator, the unguarded occurrence of 
/ in S" | / implies that there is an unguarded occurrence of / in [[ S" \ /]™. □ 

Theorem 1. The encodings [ • ] and [ • ] are good. 

Proof. By Figure [3] and Figure |4l both encodings are compositional. Name invariance is proved in the Lemmata 
[T]and[2j Operational correspondence follows by the Lemmata [30l [3"T1 and [33l Lemma [34] proves that [ • f a do not 
introduce divergence, while Lemma [35] proves the same condition for [ • ] . Finally, by Lemma l36l both encodings 
are success sensitive. Thus both encodings are good with respect to the five criteria introduced by Gorla. □ 

3 Degree of Distribution 

In the following we prove that [ • ] preserves the degree of distribution of its source terms, while [ • ] does not. For 
a definition what it means to preserve the degree of distribution have a look at Definition 5 in |PN12| . Moreover, we 
present an encoding function from 7r m (without replicated input) into jr a , the asynchronous 7r-calculus augmented 
with a two-level polyadic synchronisation. 



Note that for simplicity we omit in Figure [T] a structural congruence rule for replicated input. However, of course 
a replicated input represents a not determined number of instances of the corresponding input guarded term in 
parallel. In order to allow for the distribution of replicated inputs, we augment structural congruence by an additional 
rule, i.e., =* is structural congruence = augmented with the additional rule y* (x) .P =* y* (x) .P \ y* (x) .P to split 
up replicated inputs. 

Lemma 37. The encoding [ • ] a preserves the degree of distribution. 

Proof. Let S, Si, . . . , S„, S[, . . . , S' n G T s such that S =* Si | . . . | S n and Si t=> Si for all i with 1 < i < n. Then, 
by Definition 5 in PN12 , we have to show that: 

3T U ...,T n G P a . 3C ([•]!, . . . , [■]„) G K -> V* ■ I S H ^* C (T 1; . . . ,T n ) A (Vi G [1, . . . ,n] . T, ^= a \ S[ ]') 

Revisiting the argumentation in the proof of Lemma [20l the encoding [ • ] a preserves structural congruence of source 
terms except for the rule P \ = P, because it translates restriction, the parallel operator, and the match operator 
rigidly. Moreover, because of the rigid translation of the parallel operator, even the additional rule y* (x) .P =* 
y* (x) .P | y* (x) .P is preserved. Thus S =* Si \ . . . | S n implies [ S ]' =* [ Si \ . . . \ S n J a - I Si ] a | . . . | [ S n ] a , 
i.e., we can choose Ti = [ Si ] a for all i with 1 < i < n and C ([-]i, . . . , [•]„) = [-]i | ... | [•]„. By operational 
completeness (compare to Lemma |30|) . then Si l==> S- implies J Si ] a l==>=a I S^ ] a for all i with 1 < i < n, i.e., 
T^^llS'X. □ 

Lemma 38. Any good encoding, that translates the parallel operator rigidly and preserves enough of the structural 
congruence on source terras to ensure that S =i S\ \ . . . \ S n implies [ S ] =2 [ Si | . . . | S n ], preserves the degree 
of distribution. 

Proof. Let S, Si, . . . , S n , S[, . . . , S' n be terms of the source language such that S =1 Si \ . . . \ S n and Si l=> S'i for 
all i with 1 < i < n. Then, by Definition 5 in |PN12j . we have to show that: 

3T U . . . ,T n G V a . 3C ([•]!, . . . , [•]„) G Vt V a . [ Sj =2 C (T 1; . . . ,T n ) A (Vi G [1, . . . ,n] . T 4 \ S[ ]) 

Since the encoding translates the parallel operator rigidly and preserves enough of the structural congruence on 
source terms to ensure that S =1 S'i | . . . | S n implies [ S ] =2 [ Si | . . . | S n ], we have [ S ] =2 [ Si | . . . | S n ] = 
[ Si ] I ... I [ S n ], i.e., we can choose T, = I S, ] for all i with 1 < i < n and C ([-]i, . . . , [•]„) = [-}i \ ... \ [•]„. 
By operational completeness (compare to Definition [9]) , then Si t=> S- implies [[ S,; ] l=>=| I S 2 ' ] for all i with 
1 <i<n, i.e., Ti^^ [SH- □ 

Lemma 39. The encoding [ • J does not preserve the degree of distribution. 

Proof. Consider the counter example S = (a | fo) | (a \ b). S can perform two different reductions, which are 
independent of each other. So S = Si | S2 with Si — (a a) and S2 = (b \ 6) such that Si 1 — > and S2 1 — > 0. 
Of course, since [ • ]™ is good, [ S J™ can emulate both steps in either order. But it can not emulate both truly in 
parallel. 

To prove this fact, let us assume the contrary, i.e., let us assume the encoding [ • J™ preserves the degree of 
distribution of S. Then, by Definition 5 in |PN12j . we have: 

3Ti,T 2 G P a . 3C ([-]i, [-] 2 ) e V a x P a ^ P a . I S C ^* C (Ti, T 2 ) A T x [ S[ £ A T 2 I S' 2 ] a ° 

The encoding of S is given by: 

\ S J a (/^ m Q , 772.^ , Po.up 1 Pi, up 5 ^01 Cj, THo.up 7 m>i,up ) ( 

(vp ,Pi) ^[a I 6 J™ I procLeftOutReq | procLeftlnReq^ 

I [vp a ,Pi) (I a I 6 J™ I procRightOutReq | procRightlnReq) 
I pushReq) 



We observe that for both source term steps their emulations require that the corresponding requests are combined 
at the outermost parallel operator encoding, i.e., the one given above. Moreover, in both emulations the output 



requests arrive at the left and the input requests arrive at the right side of this parallel operator encoding. Thus, 
for both emulations the requests are proceed by procRightlnReq. 



procRightlnReq = c7(m ) | c* (m ) .p, (y,l r ,r).( 

{vm ,up) (m * (y',l a ,s,z) .{[y' = y]r (l s J r ,l s ,s,z) | m 0jUp (y' ', l s , s,z)) 

| (v m ) (m 0iUp -» m \ ~ci (m )) ) 
I W~^(yJr,r)) 

Note that, since [a]™ and [ 6 J a appear unguarded in [ a | bj a , it is not difficult to distribute [a | 5] over 
T\ and T 2 , because the respective context introduced by the corresponding parallel operator encoding is not used 
within the considered emulations, i.e., they can be proved to be junk. The same holds for [a | b J . Moreover, since 
none of the terms procLeftlnReq, procRightOutReq, and pushReq of the outermost parallel operator encoding is of 
any importance for the considered emulations, it does not matter whether we put them within T\ or T 2 . Note that 
for each of the considered emulations it is necessary to transmit one left output request to the right side of the 
outermost parallel operator encoding by the forwarder in procLeftOutReq. However, since this forwarder is guarded 
by a replicated input we can use the rule y* (x) .P =* y (x) .P | y* (x) .P to distribute this forwarder, e.g. by placing 
p (y, I, s, z) . (m Q (y, /, s, z) \ p ^ up {y, I, s, z)) within T\ and the rest of the forwarder within T 2 . The only remaining 
term to distribute is procRightlnReq. 

Since Ti \=^=™ [ and T 2 \=>=f \ S' 2 ] a n , both T x and T 2 need the ability to proceed a request from 

[ a I b ]™. Since the respective right requests are restricted the only possibility to process them is procRightlnReq. 
We observe that the main part of procRightlnReq is guarded by a replicated input and can thus be distributed 
as procLeftOutReq before. But there is only one unguarded instantiation of the corresponding chain lock ~ci (m ) 
and without it the remaining term guarded by the replicated input on this chain lock is useless. Because of that 
procRightlnReq can not be distributed, i.e., it is not possible to distribute the encoding of S such that [ S ]™ =* 
(vx) (Tx I T 2 ), Ti t==^="M S[ ]™, and T 2 I S 2 17- 

Because of that [ S ] a can not emulate both source term steps without sequentialising the linking of the respec- 
tive right requests within the required chain. So [ S ]™ can not completely emulate the independent source terms 
steps in parallel. □ 

Lemma 40. Any good encoding [ • ] preserves the criterion: For every S such that S = Si | . . . | S n and Si t=> S*,' 
for all i with 1 < i < n, there exists T\, . . . , T n and a context C with n holes such that [ S ] = 2 C (T\, . . . , T n ) and 
Ti t=^x [ S- ] for all i with 1 < i < n. 

Proof. Assume neN and S, S±, . . . , S n , S[ , . . . , S' n are terms of the source language such that S = S± \ . . . \ S n and 
(Vi G [1, . . . , n] .Si t=> Sj). Moreover, for simplicity, let us assume, that £1 | . . . | S n = (Si \ (. . . (SV1-1 | S n ) . . .), 
but note that the actually orientation of the brackets is not import for the rest of the proof. Let C, ([-]i, [) 2 ) be 
the context introduced by the encoding of the parallel operator, i.e., [ P | Q ] = C, ([ P ] , [ Q ]) for all P, Q in 

the source language. Then \ S ] = C, (j Si ] , C { (. . . C, (I S n -i ],[£„])).. .V So we can choose T t = [ Si ] for all 

i € [1, . . . , n] and C (Ti, . . . , T n ) — [ S ]. By operational completeness (compare to Definition [5]) , then Ti l==>x I SI ] 
for all i with 1 < i < n. □ 

Theorem 2. There is no good encoding from 7r m into 7r a that preserves the degree of distribution. 

Proof. By the Theorem in [PSNllj . any good encoding from n m into 7r a introduces additional causal dependencies. 
Note that in [PSNllj slightly different definitions of ir nl and 7r a are used, i.e., they use IP instead of replicated input, 
have no match in the source language, and no r-prefix. However, revisiting the argumentation on the proof of the 
Theorem in [PSN11] we observe that these details are not crucial. 

A closer look at the definition of additional causal dependencies used in [PSNlT] reveals, that they show that 
any good encoding from 7r m into 7r a introduces causal dependencies between some emulations of independent source 
term steps. As already stated in the discussion of [PSNiTj, because of this causal dependency some emulations 
of independent source terms steps have to be sequentialised, i.e., the emulations can still be performed in either 
order and even somehow overlapping but not completely independent. Note that this is exactly what we observe in 
Lemma [551 Because of that, there is no good encoding from 7r m into 7r a that preserves the degree of distribution. □ 

Let 7r a be the asynchronous 7r-culus augmented with poliadic synchronisation on channels composed by up to 
two names as introduced by |CM03j . 



Definition 31 (ir^). The set of process terms of the asynchronous 7r-calculus with two-level poliadic synchronisa- 
tion, denoted by P a 2 , is given by 

P ::= | (un)P | Pi | P 2 \ [a = b]P \ y (z) .P \ y{x).P \ y* (x) .P 

for some names n,a,b £ Af, some finite sequences of names x, z C M , and either y G TV or y — y\ ■ y 2 for some 

yi,V2 e AA. 



[P|<3]5 - (vPo,up,Pi,uj,,i,°) ( 

(*p„,Pi)([PI3 

p D * (y, /, si, s 2 ,2:) . (y~~o{l, si,s 2 ,z) I p^{y, I, si,s 2 ,z)) 

P>* (y, 4 . (y ■ i {/, r) | pj~^ {y, I, r)) ) 
I (fPoPi)( [015 

I Po* (y, 4, si, s 2 , 2) . (y • i (Z r , r) .r (4-, 4, l s , si,s 2 ,z, T) | p^ {y, l s ,si,s 2 ,z}) 
I Pi* (y, 4, r) . (y -o(l s , si, s 2 , 2) .f (4, 4, 4, si, s 2 ,2, _L) | W~^{y, l r , J")) ) 

I po,up Po I pi, up * 

[y(a).PI5 = (fsi,*) (sT j 4si,s2,2) I s 2 . |[P ]™ 2 ) 

[ 2/ (») 15 - (^ r ) (W(y, 4r) I >-* (fa, fa, -,si,s 2 ,a;,&). 

test /1 then test fa then IT (-L) | fa <-L) | s5 | [ P }™a 

else fa (T) I fa (-L) | test 6 then p7 (y, i, r) else sT 
else fa (_L) I test b then sT else Jh (y,l,r)) 

Here 95^2 is some arbitrary injective substitution such that Vn 6 A/" . (fi™2 (n) £ N, where 
N = {p ,Pi,Po,up,Pi,u P , I, h, fa, fa, fa, si, S2, r, o, i, y, y, z, t, f, b} . The remaining operators restriction, sum, r guarded terms, 

and / are translated as in [ ■ ]* or [ • ] m again. 

Fig. 6. Encoding [ ■ K from 7r m without replicated input into tt%. 

For simplicity, we do not consider replicated input on the source language. Then the encoding [ • J 2 , given in 
Figure El is a good encoding from ir m without replicated input into -k\. Note that, to prove that [ • ]^ is correct 
with respect to the criteria presented in Section 11.31 we can argument very similar as for [ ■ ]™, because the main 
feature, i.e., the way in which sum locks are ordered, is the same for both encodings. On the other side, as already 
stated by |CM03j . there is no good encoding from n m into ir^, that translates the parallel operator rigidly. Note 
that the separation result in |CM03] does not rely on replication, i.e., it also implies that there is no such encoding 
from 7r m without replicated input into 
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